Hi Erwin,
The module generates responses online, so you must use online DNSSEC signing,
which is incompatible with
the pre-signing functionality.
You need to remove dnssec-signing (and dnssec-policy) from the default
template. Also note that mod-onlinesign
ignores NSEC3 setting (remove nsec3 from the policy).
Daniel
On 5/13/24 22:18, Erwin Lansing via knot-dns-users wrote:
Howdy,
I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping following the blog article and docs. However, I’m getting an error for the signalling zones, but I fail to figure out what I may
have overlooked.
error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module
'mod-onlinesign/authsignal', incompatible with automatic signing
Relevant knot.conf snippets (in order):
policy:
- id: ecc
algorithm: ecdsap256sha256
nsec3: on
rrsig-refresh: 7d
mod-onlinesign:
- id: authsignal
nsec-bitmap: [CDS, CDNSKEY]
policy: ecc
template:
- id: default
…
dnssec-signing: on
dnssec-policy: ecc
…
zone:
- domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/>
module: [mod-authsignal, mod-onlinesign/authsignal]
Any hint appreciated
Best
Erwin
--
--
