Hi, When a key is imported using import-pem or import-pkcs11, its publish and active timers are set to now, which is the time zero for the key lifetime. So, imported KSK shouldn't be rolled immediately but after the ksk-lifetime period. You only have to ensure that the DNSSEC policy (especially algorithm) is compatible with the imported keys.
Daniel On 5/6/22 16:05, Jan-Piet Mens wrote:
Hello, I need to migrate away from an HSM-backed OpenDNSSEC installation which uses a Thales nCipher for key storage and am experimenting with Knot DNS 3.1.8 (on CentOS 7, FWIW). I've compiled Knot, and it is able to access said HSM via PKCS#11. I have configured a zone with a manual policy. policy: - id: manualHSM keystore: thales single-type-signing: on manual: on After importing keys from the HSM with `keymgr import-kcs11', knotd launches and signs the zone with KSK/ZSK as expected. What I would then like to have happen is to have periodic ZSK rollovers as well as periodic KSK rollovers. In order to accomplish this I have changed the zone's policy to policy: - id: autoHSM keystore: thales single-type-signing: off manual: off algorithm: rsasha256 ksk-size: 2048 zsk-size: 1024 zone-max-ttl: 60 dnskey-ttl: 60 propagation-delay: 60 nsec3: on nsec3-iterations: 0 nsec3-salt-length: 0 nsec3-salt-lifetime: 0 ksk-lifetime: 7200 zsk-lifetime: 3600 A restart of knotd then begins by creating a new ZSK and rolling it, and the KSK is rolled automatically after 7200 seconds. (These timers are for testing only.) So far no complaints whatsoever -- this is working exactly as I had hoped it would. I am assuming that it is permissible to change a zone's policy in flight. What I'd like is confirmation that the KSK roll will actually never occur immediately, but only after a first period has elapsed. Can I rely on this behavior, i.e. that the first KSK roll will occur only after a first `ksk-lifetime' period? Best regards, -JP --
--
