Greetings, One thing I’m not sure about is exactly what happens when we run `knotc zone-ksk-submitted`? Our parent zones don’t support CDS/CDNSKEY, so we manually update DS records and then run `knotc zone-ksk-submitted`. It seems to me that as soon as we run it, the retiring of the outgoing KSK key starts and it’s removed from the DNSKEY RRset. Is that correct?
I’d like to be sure, because as it is, I wait at least the TTL of the DS record before running zone-ksk-submitted, if I run it right away and knot removes the key immediately from the DNSKEY RRset, then caching resolvers will invalidate the zone. The docs for knotc say: Use when the zone's KSK rollover is in submission phase. By calling this command the user confirms manually that the parent zone contains DS record for the new KSK in submission phase and the old KSK can be retired. (#) Reading the docs, I would think I should run zone-ksk-submitted as soon as the new DS record has been published in the parent, but then knot would need to know to wait for the TTL of the DS record before removing the key. Should I wait before running zone-ksk-submitted, or is there a config option I’m missing to tell knot the ds ttl? .einar --
