Hi Günther,
The purpose of the warning is to inform you that if you upgraded to 3.2 (in the
future),
all your zones, which don't have fixed NSEC3 iterations, would be re-signed
with a new NSEC3 chain.
The solution is simple, just add `nsec3-iterations: 10` to each policy
configured.
Or rather `nsec3-iterations: 0` if you want to follow the latest recommendation
:-)
Best,
Daniel
On 2/13/22 13:44, Günther J. Niederwimmer wrote:
Hello,
what is wrong in my policy section? I can't found any in the docs ?
Have I missing Parameters or ..............
The Warning is,
Feb 13 12:33:05 dns1 knotd[184636]: warning: config, policy[rsa2k].nsec3-
iterations defaults to 10, since version 3.2 the default becomes 0
Feb 13 12:33:05 dns1 knotd[184636]: warning: config, policy[ececc1].nsec3-
iterations defaults to 10, since version 3.2 the default becomes 0
Feb 13 12:33:05 dns1 knotd[184636]: 2022-02-13T12:33:05+0100 warning: config,
policy[rsa2k].nsec3-iterations defaults to 10, since version 3.2 the default
becomes 0
Feb 13 12:33:05 dns1 knotd[184636]: 2022-02-13T12:33:05+0100 warning: config,
policy[ececc1].nsec3-iterations defaults to 10, since version 3.2 the default
becomes 0
Feb 13 12:33:05 dns1 knotd[184636]: 2022-02-13T12:33:05+0100 warning: config,
policy[ececc2].nsec3-iterations defaults to 10, since version 3.2 the default
becomes 0
Feb 13 12:33:05 dns1 knotd[184636]: warning: config, policy[ececc2].nsec3-
iterations defaults to 10, since version 3.2 the default becomes 0
my policy,
policy:
- id: rsa2k
algorithm: RSASHA256
ksk-size: 4096
zsk-size: 2048
nsec3: on
- id: ececc1
algorithm: ECDSAP256SHA256
nsec3: on
- id: ececc2
algorithm: ecdsap384sha384
nsec3: on
--
--
