Knot DNS issueshttps://gitlab.nic.cz/knot/knot-dns/-/issues2018-06-13T15:42:05+02:00https://gitlab.nic.cz/knot/knot-dns/-/issues/229Support for NSEC3 opt-out2018-06-13T15:42:05+02:00Jan VčelákSupport for NSEC3 opt-outCurrently, NSEC3 opt-out is not supported by zone signing. There is also no way to set the flag, as the flag in NSEC3PARAM has to be zero. The support can be added with the new DNSSEC library - the flag will be part of the KASP settings....Currently, NSEC3 opt-out is not supported by zone signing. There is also no way to set the flag, as the flag in NSEC3PARAM has to be zero. The support can be added with the new DNSSEC library - the flag will be part of the KASP settings.
Note: Bind allows setting of the flag via DDNS. NSEC3PARAM with opt-out enabled is written as a private RR type, which is used to control the signing. Final NSEC3PARAM in the zone has the flag cleared.
nextLibor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/issues/599obsolete single-type-signing documentation note2018-08-09T10:12:47+02:00Daniel Stirnimannobsolete single-type-signing documentation noteThe documentation for `single-type-signing` contains the following note:
> Note Because key rollover is not supported yet, just one combined signing key is generated if none is available.
See also
* https://gitlab.labs.nic.cz/knot/kno...The documentation for `single-type-signing` contains the following note:
> Note Because key rollover is not supported yet, just one combined signing key is generated if none is available.
See also
* https://gitlab.labs.nic.cz/knot/knot-dns/blob/master/doc/man/knot.conf.5in#L609
* https://gitlab.labs.nic.cz/knot/knot-dns/blob/master/doc/reference.rst#L693
This seems obsolete in 2.7.0 as https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.7.0/NEWS mentions
> - Online Signing support for automatic key rollovernextLibor PeltanLibor Peltan