server runs a tld as primary, but slds are hidden primaries which the
server pulls as a secondary, wants to sign bump-in-the-wire, and then
make available to public secondaries. i think that the doc says this is
doable, but instructions are insufficiently explicit for this idjit.
i am fetching the slds into
policy:
- id: pol-256-256
algorithm: rsasha256 # was ecdsap256sha256 sra uses ecdsap384sha384
manual: on
...
template:
- id: signed
storage: /var/lib/knot/sec-sign
dnssec-signing: on
dnssec-policy: pol-256-256
zonefile-sync: -1
zonefile-load: difference
journal-content: all
serial-policy: unixtime
...
zone:
- domain: sld.tld
file: tld.sld # sorry, i like alpha sort in `ls` :)
master: hidden-fetch
template: signed
acl: [allow-local, secondaries-push]
the policy and template are those from signing primary zone; which i
suspect is ill advised.
i did generate keying as i would when signing a primary zone
# keymgr sld.tld generate algorithm=rsasha256 ksk=yes zsk=yes
7a618eaf94ea1d903233cb547faa24bae8cb49a5
# knotc zone-reload sld.tld
OK
# keymgr sld.tld ds
sld.tld. DS 63562 8 2
2d25e465f131900413d7e8a90ad1b96c75ba835de63dfee08610b113a779d41f
sld.tld. DS 63562 8 4
ed9c31c495703ec354f1a1835c9878339224cc06ac3001151c2ebb89524b25190efa424348c999b0c4df940edffa8409
any kind soul(s) care to whack me with a clue bat?
randy
--
