Rolling the algorithm will by necessity also roll both KSK and ZSK. During the rollover all RRs will be signed by BOTH keys.
- Open the Knot configuration file:
sudo vi /etc/knot/knot.conf- Edit the DNSSEC signing policy and change algorithm for the KSK and ZSK (both must use the same algorithm)
policy:
- id: lab_p256
algorithm: RSASHA256
...
-
Save and exit
-
Verify that the configuration is valid
sudo knotc conf-check- Reload Knot
sudo knotc reload- Check that the new KSK has been generated and is ready to be published
sudo keymgr labbX.examples.nu list- Perform a zone transfer (AXFR) and note that the whole zone is now signed with double signatures:
dig @127.0.0.1 labbX.examples.nu axfrKnot will automatically phase out the old keys and signatures as it resigns the zone
- Show the DS RRs that we are about to publish. Notice that they share the key tag with the KSK:
sudo keymgr labbX.examples.nu ds-
Ask your teacher to update the DS in the parent zone.
-
Wait until the DS has been uploaded. Check the DS with the following command:
dig @ns1.examples.nu labbX.examples.nu DS- We must manually tell the signer that the KSK has been submitted.
sudo knotc zone-ksk-submitted labbX.examples.nuIf the KSK is not yet ready to be submitted, you must wait a bit and try again later.
- After the KSK has been submitted, wait for Knot to replace the keys and signatures. Check the key list and note that the old KSK and ZSK has been removed.
sudo keymgr labbX.examples.nu listdig @127.0.0.1 labbX.examples.nu axfr-
Ask your teacher to remove the old DS from the parent zone.
-
Verify that the old DS has been removed
dig @ns1.examples.nu labbX.examples.nu DSNext Section: Signing with NSEC3