Hi,
we're using knot as a bump-in-the-wire DNSSEC Signer. The setup is as
follows:
BIND9(unsigned) -> AXFR -> knot(signing) -> AXFR -> BIND9(signed)
The zone starts out with a low serial like 10 or 11. knot has a
serial-policy: unixtime for the zones.
Problem is, whenever an update is pushed
* libor.peltan [2018-10-31 11:03]:
> Please try purging the journal (or deleting it directly on the filesystem)
> and restarting the server.
Yeah, that worked...
Regards
Sebastian
--
GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S
* libor.peltan [2018-10-30 15:04]:
> Hi Sebastian,
>
> i don't see clearly what happened in your case. It seems for some reason the
> history stored in journal (just changes) was no longer appliable on the
> zonefile. Nothing terrible, just one annoying warning and a bit more
> annoying AXFR
* libor.peltan [2018-10-29 16:20]:
> 2) No, "discontinuity in changes history" is not expected. Could you please
> describe what did you do before such warning appeared, with longer snippets
> of the log? In any case, there is no need to be scared of journal getting
> full, once you read the
* libor.peltan [2018-10-29 16:20]:
> 2) No, "discontinuity in changes history" is not expected. Could you please
> describe what did you do before such warning appeared, with longer snippets
> of the log? In any case, there is no need to be scared of journal getting
> full, once you read the
Right now I have two zone types for my knot test setup, one where knot
is doing DNSSEC signing as a slave (AXFR in -> sign -> AXFR out) and
one where the knot is the master for the zone and zone data is coming
out of a git repository and gets signed.
Reading older threads on this ML and browsing
* Daniel Stirnimann [2018-10-24 10:28]:
> Hello Sebastian,
>
> > http://dnsviz.net/d/6v6.de/W9AmtA/dnssec/
> >
> > Looking at the graph the new KSK (54879) is not signing anything right
> > now. Shouldn't it sign the DNSKEY records of the ZSKs so that the
> > chain stays intact when the DS
* Sebastian Wiesinger [2018-10-24 10:08]:
> Hi,
>
> I'm currently testing a KSK algorithm rollover with my zone. I changed
> the signature scheme from RSA to ECDSA. Knot started adding new RRSIGs
> and new keys and now waits for the new DS to be published at the
> parent zone.
Hi,
I'm currently testing a KSK algorithm rollover with my zone. I changed
the signature scheme from RSA to ECDSA. Knot started adding new RRSIGs
and new keys and now waits for the new DS to be published at the
parent zone. One thing strikes me as odd though: