Hey Tobias, have you tried setting "retire" and "remove" to the exact same value?
Each record has to be signed by every algorithm in DNSKEY set. That's the reason for the error you see. But you can have extra signatures with algorithm that is not in the DNSKEY set. This is used in algorithm rollover. You can do that manually with Knot. The process is described in RFC 6781 (https://tools.ietf.org/html/rfc6781#section-4.1.4). In short: You need to pre-publish new signatures, publish new DNSKEY, remove old DNSKEY, remove old signatures. Pre-publishing signatures mean that the key is active but not published in Knot terminology. Jan On Mon, Mar 27, 2017 at 2:56 PM, Tobias Brunner <[email protected]> wrote: > Hi, > > I'm in the process of changing the key algorithm from the former Knot > default of RSASHA256 to the newer default ecdsap256sha256. For this I > have just updated the DNSSEC policy and reloaded Knot. This created a > new ZSK and signed the zone with this new ZSK, but also with the old > one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK? > > I already tried to set "retire" and "remove" on the old ZSK with keymgr > to a value in the near future, but that just lead to the error message > "keys validation failed (missing active KSK or ZSK)" when issuing a > zone-sign to this particular zone. So I'm stuck now. > > Additionally: How can I do a KSK rollover to also change the algorithm > from RSASHA256 to ecdsap256sha256? I couldn't find a documentation > explaining this step. I know that I need to have two KSKs until the DS > record on the parent is updated pointing to the new key, but I don't > know how to create a new KSK with Knot. > > Thanks in advance for explaining the process. > > Cheers, > Tobias > > > _______________________________________________ > knot-dns-users mailing list > [email protected] > https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users > _______________________________________________ knot-dns-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
