[knot-dns-users] Re: module 'mod-onlinesign/authsignal', incompatible with automatic signing

Erwin Lansing via knot-dns-users Tue, 14 May 2024 08:45:51 -0700

Hi Daniel

Thanks, indeed.  I had a suspicion something in the default template was in the 
way.  Too bad now all other zones have to have two lines of definitions rather 
than just one :-)


I was also confused that knot doesn’t publish CDS records for zones, that are 
not in the process of rolling a key, but after picking the right zone, it turns 
out everything works as intended:

> dig @ns3b.droso.dk cds _dsboot.lansing.cl._signal.ns3b.droso.dk +dnssec +short
37743 13 2 FF4EF91DD6471FF6207FFD30A512C9573200A53D7163B67DF9F31F75 459142AB
CDS 13 7 0 20240528154030 20240514141030 32886 _signal.ns3b.droso.dk. 
1rN4np8mrXkvFU+Ikcs7DEzNgE7eFc/Ml8wSPrnEvY51VaLCFMC9h7gx 
c2zFu79kWufy5MbykQ7P0XyFXCSu2A==


Thanks again and great new feature!  Hopefully more registries and registrars 
will add it.
Best
Erwin


> On 14 May 2024, at 08.05, Daniel Salzman <daniel.salz...@nic.cz> wrote:
> 
> Hi Erwin,
> 
> The module generates responses online, so you must use online DNSSEC signing, 
> which is incompatible with
> the pre-signing functionality.
> 
> You need to remove dnssec-signing (and dnssec-policy) from the default 
> template. Also note that mod-onlinesign
> ignores NSEC3 setting (remove nsec3 from the policy).
> 
> Daniel
> 
> On 5/13/24 22:18, Erwin Lansing via knot-dns-users wrote:
>> Howdy,
>> I’m trying to get Knot 3.3.5 to use authenticated DNSSEC bootstrapping 
>> following the blog article and docs.  However, I’m getting an error for the 
>> signalling zones, but I fail to figure out what I may have overlooked.
>> error: [_signal.ns2.droso.dk <http://signal.ns2.droso.dk/>.] module 
>> 'mod-onlinesign/authsignal', incompatible with automatic signing
>> Relevant knot.conf snippets (in order):
>> policy:
>>   - id: ecc
>>     algorithm: ecdsap256sha256
>>     nsec3: on
>>     rrsig-refresh: 7d
>> mod-onlinesign:
>>  - id: authsignal
>>    nsec-bitmap: [CDS, CDNSKEY]
>>    policy: ecc
>> template:
>>   - id: default
>> …
>>     dnssec-signing: on
>>     dnssec-policy: ecc
>> …
>> zone:
>>   - domain: _signal.ns2.droso.dk <http://signal.ns2.droso.dk/>
>>     module: [mod-authsignal, mod-onlinesign/authsignal]
>> Any hint appreciated
>> Best
>> Erwin
>> --

--

[knot-dns-users] Re: module 'mod-onlinesign/authsignal', incompatible with automatic signing

Reply via email to