Previous: , Up: Knot DNS Configuration   [Contents][Index]


4.10 Automatic DNSSEC signing (experimental)

Knot DNS 1.4 is the first release to include automatic DNSSEC signing feature. Automatic DNSSEC signing is currently highly experimental and there is a lot of issues we are working on and limitations we will try to eliminate. By all means, anything in the current implementation can change including configuration options. We have no intention to maintain backward compatibility.

4.10.1 Example configuration

The example configuration enables automatic signing for all zones using dnssec-enable option in the zones section, but the signing is explicitly disabled for zone example.dev using the same option directly in zone configuration. The location of directory with signing keys is set globally by option dnssec-keydir.


zones {
  dnssec-enable on;
  dnssec-keydir "/var/lib/knot/keys";

  example.com {
    file "example.com.zone";
  }

  example.dev {
    file "example.dev.zone";
    dnssec-enable off;
  }
}

4.10.2 Signing keys

The signing keys can be generated using ISC dnssec-keygen tool only and there are some limitations:


Example how to generate NSEC3 capable zone signing key (ZSK) and key signing key (KSK) for zone example.com:


$ cd /var/lib/knot/keys
$ dnssec-keygen -3 example.com
$ dnssec-keygen -3 -f KSK example.com

4.10.3 Signing policy

Currently the signing policy is not configurable, except for signature lifetime.

4.10.4 Zone signing

The signing process consists of the following steps:


The zone signing is performed when the zone is loaded into server, on zone reload, before any signature is expiring, and after DDNS update. The signing can be also forced using signzone command issued by knotc, in this case all signatures are recreated. After each zone signing, a new signing event is planned. User can view the time of this event by using the knotc zonestatus command.


Previous: , Up: Knot DNS Configuration   [Contents][Index]