Couple of newbie questions/issues
Hello,
I am trying to move 30+ company domains from Bind to Knot and so far I did manage to configure (in test env) all I need. I do have some "different approach" issues, maybe someone can clear them for me.
-
In Bind I used simple nano/vim editor to edit zone file, I change serial to +1 (usually yyyymmdd0x) and do reload. What is preferred way to do this in Knot? I will explain in other questions why this bothers me.
-
I want to use dnssec so I have something like:
policy:
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 30d
ksk-lifetime: 365d
and
template:
- id: signed
storage: /var/lib/knot/signed
dnssec-signing: on
semantic-checks: on
together with:
zone:
- domain: domain.net
dnssec-policy: rsa
storage: /var/lib/knot/zones/
file: domain.net.zone
notify: slave
acl: acl_slave
template: signed
Is this preferred way of doing this "automatic way" ?
Issues I have with this and it's related to question no.1:
-
I assumed signed zones would be in /var/lib/knot/signed without touching original zone file
-
I assumed I would edit /var/lib/knot/zones/domain.net.zone, put my new/changed records there, do knotc reload and Knot would "compile" changes and put them into /var/lib/knot/signed/domain.net.zone. Obviously this is not case.. So is there way to separate "normal" from "signed" zone or how otherwise to properly edit/change/add zone (question no.1)
-
Durring testing my slave Knot got configured and was transferring properly, however at some point Knot manipulating SOA serial automagicaly got slave confused so now I get:
received, serial 2020062402 remote serial 2020062402, zone is outdated refresh, remote master not usable refresh, failed (no usable master)
as errors. I tried completely deleting zone from slave, notify again but issue is still same. How can I fix this ?
- How can I send dnssec signed zone to be on slave too ? When I do for example: dig mydomain.com @ip.of.master CDS I get response but when I do same on slave with: dig mydomain.com @ip.of.slave CDS I get no response.
Sorry for maybe too much text and too much "RTFM" (I did follow docs tho..). Thanks