Hi Daniel Thanks, indeed. I had a suspicion something in the default template was in the way. Too bad now all other zones have to have two lines of definitions rather than just one :-)
I was also confused that knot doesn’t publish CDS records for zones, that are not in the process of rolling a key, but after picking the right zone, it turns out everything works as intended: > dig @ns3b.droso.dk cds _dsboot.lansing.cl._signal.ns3b.droso.dk +dnssec +short 37743 13 2 FF4EF91DD6471FF6207FFD30A512C9573200A53D7163B67DF9F31F75 459142AB CDS 13 7 0 20240528154030 20240514141030 32886 _signal.ns3b.droso.dk. 1rN4np8mrXkvFU+Ikcs7DEzNgE7eFc/Ml8wSPrnEvY51VaLCFMC9h7gx c2zFu79kWufy5MbykQ7P0XyFXCSu2A== Thanks again and great new feature! Hopefully more registries and registrars will add it. Best Erwin > On 14 May 2024, at 08.05, Daniel Salzman <[email protected]> wrote: > > Hi Erwin, > > The module generates responses online, so you must use online DNSSEC signing, > which is incompatible with > the pre-signing functionality. > > You need to remove dnssec-signing (and dnssec-policy) from the default > template. Also note that mod-onlinesign > ignores NSEC3 setting (remove nsec3 from the policy). > > Daniel > > On 5/13/24 22:18, Erwin Lansing via knot-dns-users wrote: >> Howdy, >> I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping >> following the blog article and docs. However, I’m getting an error for the >> signalling zones, but I fail to figure out what I may have overlooked. >> error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module >> 'mod-onlinesign/authsignal', incompatible with automatic signing >> Relevant knot.conf snippets (in order): >> policy: >> - id: ecc >> algorithm: ecdsap256sha256 >> nsec3: on >> rrsig-refresh: 7d >> mod-onlinesign: >> - id: authsignal >> nsec-bitmap: [CDS, CDNSKEY] >> policy: ecc >> template: >> - id: default >> … >> dnssec-signing: on >> dnssec-policy: ecc >> … >> zone: >> - domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/> >> module: [mod-authsignal, mod-onlinesign/authsignal] >> Any hint appreciated >> Best >> Erwin >> --
--
