On 14/12/2021 01:08, Einar Bjarni Halldórsson wrote:
Hi Einar,
I just realized that knot replaces the whole dnskey set in the zone with
the keys from the kasp, so my plan to add the dnskey records from the
old signer to the zone before signing is not valid.
I guess we'll have to move the old keys to the new signers.
You don't need to. You can import the ZSKs from the old signer into
Knot's key database, using the "import-pub" command to "keymgr". Knot
will publish these alongside its own keys, and sign the DNSKEY RRset
with its own KSK.
This is how we switched signers at RIPE NCC, and it worked perfectly.
You can read more about it here:
https://labs.ripe.net/author/anandb/dnssec-signer-migration/
Regards,
Anand Buddhdev
RIPE NCC
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users
