Cannot switch to a previously used ksk-shared dnssec policy
With Knot 2.6.7, let there be a zone with automatic key management policy, where the policy employs KSK sharing, like this:
policy:
- id: ecdsa_fast
ksk-shared: on
zsk-lifetime: 1h
ksk-lifetime: 5h
propagation-delay: 10s
rrsig-lifetime: 2h
rrsig-refresh: 1h
ksk-submission: local_resolver
single-type-signing: off
- id: ecdsa_fast_single
ksk-shared: on
zsk-lifetime: 1h
ksk-lifetime: 5h
propagation-delay: 10s
rrsig-lifetime: 2h
rrsig-refresh: 1h
single-type-signing: on
ksk-submission: local_resolver
zone:
- domain: "zone.66.acad.cz"
file: "/etc/knot/%s.zone"
zonefile-sync: -1
zonefile-load: difference
dnssec-signing: on
dnssec-policy: ecdsa_fast
acl: acl_slaveIf zone is transitioned to a differrent policy by changing dnssec-policy option in zone definition and then back again to a previously used policy, transition back fails with following error in system log:
Jun 24 18:11:15 n66.clones.cesnet.cz knotd[11612]: info: configuration reloaded
Jun 24 18:11:15 n66.clones.cesnet.cz knotd[11612]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 18:11:15 n66.clones.cesnet.cz knotd[11612]: info: [zone.66.acad.cz.] DNSSEC, signing scheme rollover started
Jun 24 18:11:15 n66.clones.cesnet.cz knotd[11612]: error: [zone.66.acad.cz.] DNSSEC, failed to initialize (not exists)
Jun 24 18:11:15 n66.clones.cesnet.cz knotd[11612]: error: [zone.66.acad.cz.] zone event 'DNSSEC re-sign' failed (not exists)Creating a new policy with different id or disabling ksk-shared option in the policy works around the issue.
As a related feature request, I believe there are some additional metadata in the keys LMDB, which are not visible to the keymgr utility. It would be nice to have a tool to inspect and/or fix those policy related parts of the database, maybe as a new feature of the keymgr utility.