Welcome Einar, On 12/14/21 12:36 AM, Einar Bjarni Halldórsson wrote: > Hi, > > We're preparing to migrate our zones from OpenDNSSEC 1.4 to Knot DNS 3.1 (and > eventually the .is zone). > We've already migrated one unsigned zone to the new signers, but next on the > list is first currently signed zone. > We're going to migrate the zone by doing a key rollover, so we'll add DNSKEY > records for the new keys to the zone on the old signer and vice versa. While > we're migrating the zone we have to stop > automatic key rollovers, and I planned to create a new policy 'dnssec_freeze' > with `manual: on` and apply it to zones during migration.
As Anand wrote already, you cannot simply modify the DNSKEY RRset in the zone. You have to use `keymgr import-pub` instead and setting some key timestamps via `keymgr set` if necessary. Also you don't need to switch to the manual mode. Knot changes the keys only if there is any reason for that (e.g. DNSSEC policy modification). If you need more time, you can just extend the zsk-lifetime. > > Am I correct that this will stop all automatic key rolloveres, but keep the > signatures updated? Yes, that's exactly how the manual key management works. > > The the migration is complete, DS records and delegations have been updated > etc., I'll change the policy to an automatic policy. Will knot seamlessly > start automatically rolling over keys according to > the new policy? Yes, Knot will continue managing the keys automatically. Daniel > > .einar > > -- https://lists.nic.cz/mailman/listinfo/knot-dns-users
