Single-Type Signing doesn't work with single ZSK key
After upgrade from 2.6.1 to 2.6.4, Knot stopped signing my zone which uses single ZSK key and manual signing policy.
Feb 20 13:05:31 kitt.fcelda.cz knotd: info: [fcelda.cz.] DNSSEC, key, tag 64601, algorithm ECDSAP256SHA256, public, active Feb 20 13:05:31 kitt.fcelda.cz knotd: error: [fcelda.cz.] DNSSEC, keys validation failed (missing active KSK or ZSK) Feb 20 13:05:31 kitt.fcelda.cz knotd: error: [fcelda.cz.] DNSSEC, failed to load keys (missing active KSK or ZSK) Feb 20 13:05:31 kitt.fcelda.cz knotd: error: [fcelda.cz.] zone event 'load' failed (missing active KSK or ZSK)
policy: - id: manual manual: true zone: - domain: fcelda.cz dnssec-policy: manual
# keymgr fcelda.cz list e59ab60a372f7c3b195adedacb1db589f1ccc29b ksk=no zsk=yes tag=64601 algorithm=13 public-only=no created=1423866538 pre-active=0 publish=1 ready=1 active=1 retire-active=0 retire=0 post-active=0 remove=0
Based on the updated documentation (man keymgr), I believe Knot expects Single-Type Signing key to be KSK. However that requirement is wrong - the SEP flag has merely informative meaning and doesn't play any role in DNSSEC signing/validation.
Generate arguments ksk If set to yes, the key will be used as Secure Entry Point. zsk If set to yes, the key will be used for zone signing. This flag can be set concurrently with the ksk flag.
This part of documentation is at least confusing. Does KSK tell that the key will be used to (a) sign DNSKEY records or (2) that SEP flag will be set or (3) both? The flags either have to be exclusive (KSK = SEP, ZSK = !SEP) or there need to be three flags (KSK, ZSK, SEP). Also, if KSK and ZSK are independent on SEP, you can freely switch the values. SEP cannot be switched because that would change key tag and DS.
Anyway, I cannot fix this now without going to the registrar and changing the DS records.