Hi Chris, On 12/15/21 10:28 PM, Chris wrote: > On 2021-12-15 13:01, Anand Buddhdev wrote: >> On 15/12/2021 20:18, Chris wrote: >> >> Hi Chris, >> >> [snip config details] >> >>> How would I best make this change? Is it enough to simply change algorithm: >>> and knot will just do the right thing? >> >> Yes, please! Just change the algorithm and let Knot do its thing. It will do >> the >> right thing. Please do *not* fiddle with things manually. DNSSEC is complex, >> and >> algorithm roll-overs require care. The developers of Knot have put in a lot >> of >> care into handling algorithm roll-overs. Trust their expertise. > Thanks for the reply, Anand! :-) > I'm well aware of all the complexities, and am well confident in knots > abilities > to DTRT. But "stuff" happens. fe; after creating the additional policy > some of the zones are _also_ adopting that new policy as _well_ as the > original > policy. IOW there are some zones with both RSASHA1 _and_ RSASHA256 hashes in > them.
One zone cannot use more DNSSEC policies! I think you are confused by ongoing algorithm rollover when there are both algorithms present in the zone (see https://datatracker.ietf.org/doc/html/rfc6781#section-4.1.4). > > config (diffs): > policy: > - id: rsa1 > algorithm: RSASHA1 > zsk-size: 1024 > > policy: > - id: rsa2 > algorithm: RSASHA256 > zsk-size: 2048 > > ALL zones but the test zone mentioned earlier: > > - domain: domain.name > ... > dnssec-signing: on > dnssec-policy: rsa1 > > So why do (some) zones arbitrarily pick up the added policy when it > it is not the policy declared within the domain block? Isn't it possible that the policy is declared in a zone template? Daniel > IOW dnssec-policy: rsa1 is the only dnssec-policy listed within all the > domain blocks, and it's listed within all of the domain blocks, save > the earlier test domain. So "stuff" happened. :-/ > > Thanks again, for taking the time to respond, Anand. > > -- Chris >> >> Regards, >> Anand -- https://lists.nic.cz/mailman/listinfo/knot-dns-users
