mod-onlinesign is not transferred when using a catalog zone
I'm currently in the process of migrating from BIND9 to Knot, and I noticed onlinesign is very useful to do DNSSEC-signed record synthesis. (which I'd use for my network's v4 and v6 reverse zones)
To not have to go into all three of my servers, I'm using a catalog zone, which works (from what I can tell) flawlessly.
However, not sure if I configured my setup incorrectly or if this is intended behaviour and I just read the docs wrong again, but it seems the secondary nameservers do not mirror anything DNSSEC-related when using mod-onlinesign
for a zone.
I'm curious if as a middle-ground, it'd be possible to run mod-onlinesign
3 times, and publishing all 3 DS records to the registries.
Some uncertainties I have with this are:
- Will Knot even sign the XFR'd zone at all? (Since it will look to it like it's fully complete already)
- Will resolvers ignore any but the first served DS records from the registrar?
Any ideas? :)
Relevant snippets from the primary and one secondary instance:
Primary
acl:
- id: secondary_notify
address: [ 2001:db8::2 ]
action: [ notify, transfer ]
key: related_key
remote:
- id: secondary
address: [ 2001:db8::2 ]
via: [ 2001:db8::1 ]
key: related_key
policy:
- id: ed25519
algorithm: ED25519
single-type-signing: on
rrsig-lifetime: 25h
rrsig-refresh: 20h
mod-onlinesign:
- id: explicit
policy: ed25519
template:
- id: signed_ed25519
storage: /var/lib/knot/forward
semantic-checks: on
catalog-role: member
catalog-zone: catalog-zone.
notify: secondary
acl: secondary_notify
serial-policy: unixtime
module: mod-onlinesign/explicit
- id: reverse_ed25519
storage: /var/lib/knot/reverse
semantic-checks: on
notify: secondary
acl: secondary_notify
catalog-role: member
catalog-zone: catalog-zone.
serial-policy: unixtime
module: mod-onlinesign/explicit
zone:
- domain: abc.ltd
template: signed_ed25519
# Reverse Zones
- domain: 8.b.d.0.1.0.0.2.ip6.arpa.
template: reverse_ed25519
# Catalog zone
- domain: catalog-zone.
catalog-role: generate
notify: secondary
acl: secondary_notify
Secondary
acl:
- id: primary_notify
address: [ 2001:db8::1 ]
action: [ notify, transfer ]
key: xfr_notify_key
remote:
- id: primary
address: [ 2001:db8::2 ]
via: [ 2001:db8::1 ]
key: xfr_notify_key
template:
- id: catalog-primary-members
master: primary
storage: "/var/lib/knot/zones"
acl: primary_notify
zone:
- domain: catalog-zone.
storage: "/var/lib/knot/zones"
master: primary
acl: primary_notify
catalog-role: interpret
catalog-template: catalog-primary-members