Hi Günther, The purpose of the warning is to inform you that if you upgraded to 3.2 (in the future), all your zones, which don't have fixed NSEC3 iterations, would be re-signed with a new NSEC3 chain.
The solution is simple, just add `nsec3-iterations: 10` to each policy configured. Or rather `nsec3-iterations: 0` if you want to follow the latest recommendation :-) Best, Daniel On 2/13/22 13:44, Günther J. Niederwimmer wrote:
Hello, what is wrong in my policy section? I can't found any in the docs ? Have I missing Parameters or .............. The Warning is, Feb 13 12:33:05 dns1 knotd[184636]: warning: config, policy[rsa2k].nsec3- iterations defaults to 10, since version 3.2 the default becomes 0 Feb 13 12:33:05 dns1 knotd[184636]: warning: config, policy[ececc1].nsec3- iterations defaults to 10, since version 3.2 the default becomes 0 Feb 13 12:33:05 dns1 knotd[184636]: 2022-02-13T12:33:05+0100 warning: config, policy[rsa2k].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0 Feb 13 12:33:05 dns1 knotd[184636]: 2022-02-13T12:33:05+0100 warning: config, policy[ececc1].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0 Feb 13 12:33:05 dns1 knotd[184636]: 2022-02-13T12:33:05+0100 warning: config, policy[ececc2].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0 Feb 13 12:33:05 dns1 knotd[184636]: warning: config, policy[ececc2].nsec3- iterations defaults to 10, since version 3.2 the default becomes 0 my policy, policy: - id: rsa2k algorithm: RSASHA256 ksk-size: 4096 zsk-size: 2048 nsec3: on - id: ececc1 algorithm: ECDSAP256SHA256 nsec3: on - id: ececc2 algorithm: ecdsap384sha384 nsec3: on --
--