Hi Chris,
thank you for using Knot DNS, as well as for migrating to some better
DNSSEC algorithm :)
Despite an algorithm rollover can be performed very easily with Knot
DNS, it's not an easy process by itself and it's needed to first
understand it in general.
Algorithm rollover has several steps and there are necessary delays
between them, so it will probably take much more than an hour.
When you try for the first time, I would recommend to start with much
simpler ZSK rollover, than KSK rollover, and once you get familiar,
you'll be able to handle algorithm rollovers easily.
It's not recommended to modify your keys manually with keymgr while
automatic key management is doing things. And `del-all-old` feature is
only intended for special Offline KSK setup.
It might also surprise you that reverting the configuration does not
always lead to reverting the state. For example, if you trigger an
algorithm rollover by changing the configuration, the process will
start, and if you revert the configuration at that stage, I'm not sure
what will happen, but probably not a flawless return to the original
algorithm.
A final hint: use https://dnsviz.net/ to check your zone state.
Libor
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users
