Bingo! You found my newbie mistake ;-) As I had had only 'dnssec-signing: on' set.
Thanks for your help. Regards, Michael > On 12. Feb 2024, at 11:23, Daniel Salzman <[email protected]> wrote: > > I guess you don't have the policy specified for the zone(s) via > `dnssec-policy: ecdsa`? > > Daniel > > On 2/12/24 11:21, Michael Grimm wrote: >> Restarted, multiple times. >> This happens to all of my domains, as well. >> Regards, >> Michael >>> On 12. Feb 2024, at 11:18, Daniel Salzman <[email protected]> wrote: >>> >>> Have you reloaded or restarted Knot after the reconfiguration? >>> >>> Daniel >>> >>> On 2/12/24 11:14, Michael Grimm wrote: >>>> Hi, >>>> I am still very new to knot ;-) >>>> FYI: This is Knot DNS 3.3.3 because 3.3.4 hasn't been shown up in >>>> FreeBSD's ports collectioon, yet. >>>> Here are my settings regarding dnssec policy: >>>> policy: >>>> - id: ecdsa >>>> algorithm: ecdsap256sha256 >>>> ksk-lifetime: 3650d >>>> zsk-lifetime: 330d >>>> propagation-delay: 1d >>>> nsec3: on >>>> cds-cdnskey-publish: rollover >>>> Whatever I tell nsec3, either "on" or "true", only NSEC RR are generated, >>>> no NSEC3. >>>> dns> grep -i nsec3 zones/ellael.org >>>> dns> >>>> dns> grep -i nsec zones/ellael.org >>>> 3600 IN RRSIG NSEC 13 2 3600 20240226084528 20240212071528 9562 >>>> ellael.org. >>>> fkpFcgkVq8ZRZT0GX5kVcfPZBB5S/2Gvh4XqrkrywbZXFKiCttYqCX7rBdJSbyem5G8Bxg1LKaxu7LrIoxtyVA== >>>> 3600 IN NSEC _dmarc.ellael.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CAA >>>> 3600 IN RRSIG NSEC 13 3 3600 20240226084528 20240212071528 9562 >>>> ellael.org. >>>> R7Pz2JuKi7vQDe0KMt29NHGtKvuEnH2LPKcxTWLP9HyfuMxJx4BEyPE6i+JAw8RxfSIqWAcV/KMyCHaLgFtXXw== >>>> 3600 IN NSEC _token._dnswl.ellael.org. TXT RRSIG NSEC >>>> 3600 IN RRSIG NSEC 13 4 3600 20240226084528 20240212071528 9562 >>>> ellael.org. >>>> 3oUCWWTH2s9oH/Ea0b+MDrrQcOEuTbwx1iEuXaLq7wFribrnIGY8JeeiE3TO59n1lckKm4hia+2ox324xoxCzA== >>>> [snip] >>>> What am I doing wrong? >>>> Thanks in advance and kind regards, >>>> Michael >>>> -- >>> -- > -- --
