Le lundi 28 août 2023 à 15:56 +0200, libor.peltan a écrit : > Hi Bastien, > > in your configuration, you have dnssec-signing and mod-onlinesign > configured for the same zone. This is probably a mistake. > > You should have your zone either signed normally (during load, reload > update etc), or online (during answering each query). Otherwise it > might > lead to a mess. I can't even foresee the mess as we haven't even > tried it. > > Since you are using mod-synthrecord, you probably should stick to > just > mod-onlinesign. However, a new feature > https://www.knot-dns.cz/docs/3.3/singlehtml/index.html#reverse-generate > > is an alternative to mod-synthrecord for reverse zones, and that one > is > compatible with normal signing. You might consider migrating to it. > > I guess that the error comes from a newly added sanity check, which > was > considered a tiny change and therefore not mentioned in the > changelog.
Thanks for the quick answer :) You're right, the dnssec zone options can be removed ; I must have copied the zone stanza from another one (with no synthrecord/onlinesig) Thanks for the reverse-generate suggestion, but I will stick to synthrecord as machines with privacy extensions lies in this address space ;) Regards, -- Bastien --