Hi,
thank you for contacting us with your issues with Knot DNS. However, you
have hit wrong channel: knot-resolver-users mailing-list is intended for
users of Knot Resolver. I'm sending this reply already to proper channel.
You correctly pointed out that Knot did not delete old key after the
delete-delay period.
This seems to be an effect of an actually intentional, but perhaps
tricky feature: Knot postpones this (relatively unnecessary) key
deletion until next signing process. The point is, that initializing the
whole "signing machinery" just in order to purge a deleted (marked as
such) key might be an overkill (mostly on configurations with many many
zones).
You can see the next planned singing event when calling `knotc
zone-status` or when inspecting the logfile for logs of the previous
signing event. Please let me know if the deleted key disappears once the
zone is re-signed. I guess it might take up to a week, since this long
it takes between RRSIGs re-creation according to your configuration.
If you need to delete the key immediately, you can use keymgr utility,
or it might be also done with `knotc zone-keys-load` (basically
triggering the zone signing process out of schedule).
Thank you,
Libor
--
