Hi,
I am still very new to knot ;-)
FYI: This is Knot DNS 3.3.3 because 3.3.4 hasn't been shown up in FreeBSD's
ports collectioon, yet.
Here are my settings regarding dnssec policy:
policy:
- id: ecdsa
algorithm: ecdsap256sha256
ksk-lifetime: 3650d
zsk-lifetime: 330d
propagation-delay: 1d
nsec3: on
cds-cdnskey-publish: rollover
Whatever I tell nsec3, either "on" or "true", only NSEC RR are generated, no
NSEC3.
dns> grep -i nsec3 zones/ellael.org
dns>
dns> grep -i nsec zones/ellael.org
3600 IN RRSIG NSEC 13 2 3600 20240226084528 20240212071528 9562 ellael.org.
fkpFcgkVq8ZRZT0GX5kVcfPZBB5S/2Gvh4XqrkrywbZXFKiCttYqCX7rBdJSbyem5G8Bxg1LKaxu7LrIoxtyVA==
3600 IN NSEC _dmarc.ellael.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CAA
3600 IN RRSIG NSEC 13 3 3600 20240226084528 20240212071528 9562 ellael.org.
R7Pz2JuKi7vQDe0KMt29NHGtKvuEnH2LPKcxTWLP9HyfuMxJx4BEyPE6i+JAw8RxfSIqWAcV/KMyCHaLgFtXXw==
3600 IN NSEC _token._dnswl.ellael.org. TXT RRSIG NSEC
3600 IN RRSIG NSEC 13 4 3600 20240226084528 20240212071528 9562 ellael.org.
3oUCWWTH2s9oH/Ea0b+MDrrQcOEuTbwx1iEuXaLq7wFribrnIGY8JeeiE3TO59n1lckKm4hia+2ox324xoxCzA==
[snip]
What am I doing wrong?
Thanks in advance and kind regards,
Michael
--
