Hi Libor and Anand,
Thanks for both replies!
Interesting suggestion to not have knot do automatic key rolls, but
simply schedule something in my agenda for a convenient moment, and set
ksk-lifetime to zero.
Thanks for confirming the reasonability of our dnssec understanding, and
making this great piece of software available. So strange that I had
never heard of knot, until three weeks ago!
MJ
Op 19-08-2021 om 12:21 schreef libor.peltan:
Hi MJ,
- enable dnssec for the zone / reverse zone in knot.conf
- restart knot
- display the generated dnssec keys, using:
> keymgr sub.company.com dnskey
> keymgr sub.company.com ds
(plus the reverse)
- send the outputs of the above to the admins at company.com
- after they have entered the keys in their dns, the world can check &
verify our dnssec, and things are operational.
Correct. One thing left is that you should tell Knot that the parent
already has the correct DS. This can be achieved in two ways:
1) by calling `knotc zone-ksk-submitted`
2) by configuring the submission section, you enable Knot to find out
itself.
https://www.knot-dns.cz/docs/3.1/singlehtml/index.html#dnssec-key-rollovers
Question one:
Is there some kind of notification mechanism in knot, that reminds us
(through email for example) that a ksk is about to expire, and keys
need to be renewed at company.com dns? I cannot find such a function.
Does it not exist? Or do we misunderstand something? It seems to be so
vital.
Again, you have several options:
1) read the Knot log file (it's not too cluttered usually)
2) use structured logging (see the end of already linked documentation
chapter; this is mostly useful for scripting)
3) not configure ksk-lifetime (set to zero = infinity) and either never
roll KSK at all, or trigger the roll manually as needed by calling
`knotc zone-key-rollover ksk`
Question two:
How unreasonable/insecure would it be to take a longer ksk lifetime
than one year, let's say 10 years. With the idea that we can always
manually renew keys earlier, in case we need to.
This is difficult to say. Unless quantum-computing apocalypse arrives,
it seems quite safe to use single KSK for several years.
Feedback on the above is welcome. We have scheduled a maintenance
moment next week with the admins on company.com to send them the keys
and activate dnssec.
Thanks in advance for any feedback/pointers you can provide.
Best regards,
MJ
Wish you all the best,
Libor
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users
