How to use ksk-shared correctly?
I want to share the ksk of zone 1 with zone 2. As follows: In knot.conf:
...
policy:
- id: auto_policy
signing-threads: 4
algorithm: ECDSAP256SHA256
zsk-lifetime: 10m
propagation-delay: 2s
ksk-shared: true
template:
- id: signed
dnssec-signing: on
dnssec-policy: auto_policy
...
In zone 1:
mod-geoip:
...
zone:
- domain: volcdns-boe.com.
module: mod-geoip/volcdns-boe.com._net
module: mod-geoip/volcdns-boe.com._country.province.isp
module: mod-geoip/volcdns-boe.com._country.group.isp
module: mod-geoip/volcdns-boe.com._scope.continent.country.isp
storage: /opt/tiger/data/ti/etc/knot/volcdns-boe.com./
file: volcdns-boe.com..zone
template: signed
In zone 2:
mod-geoip:
...
zone:
- domain: test6.com.
module: mod-geoip/test6.com._net
module: mod-geoip/test6.com._country.province.isp
module: mod-geoip/test6.com._country.group.isp
module: mod-geoip/test6.com._scope.continent.country.isp
storage: /opt/tiger/data/ti/etc/knot/test6.com./
file: test6.com..zone
template: signed
The result in knot.log:
2023-11-24T16:56:08+0800 error [test6.com.] DNSSEC, no keys are available
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._net', failed to load DNSSEC keys
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._net', failed to load (no keys for signing)
2023-11-24T16:56:08+0800 error [test6.com.] DNSSEC, no keys are available
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._country.province.isp', failed to load DNSSEC keys
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._country.province.isp', failed to load (no keys for signing)
2023-11-24T16:56:08+0800 error [test6.com.] DNSSEC, no keys are available
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._country.group.isp', failed to load DNSSEC keys
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._country.group.isp', failed to load (no keys for signing)
2023-11-24T16:56:08+0800 error [test6.com.] DNSSEC, no keys are available
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._scope.continent.country.isp', failed to load DNSSEC keys
2023-11-24T16:56:08+0800 error [test6.com.] module 'mod-geoip/test6.com._scope.continent.country.isp', failed to load (no keys for signing)
2023-11-24T16:56:17+0800 info [test6.com.] DNSSEC, signing zone
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, signing zone
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, key, tag 1419, algorithm ECDSAP256SHA256, KSK, public, active
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, key, tag 49356, algorithm ECDSAP256SHA256, KSK, public, active
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, key, tag 63370, algorithm ECDSAP256SHA256, public
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, key, tag 22177, algorithm ECDSAP256SHA256, public, active
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, signing started
2023-11-24T16:56:17+0800 info configuration reloaded
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, zone is up-to-date
2023-11-24T16:56:17+0800 info [volcdns-boe.com.] DNSSEC, next signing at 2023-11-24T16:56:37+0800
2023-11-24T16:56:17+0800 notice [test6.com.] DNSSEC, KSK submission, waiting for confirmation
2023-11-24T16:56:17+0800 info [test6.com.] DNSSEC, key, tag 11492, algorithm ECDSAP256SHA256, KSK, public, ready, active+
2023-11-24T16:56:17+0800 info [test6.com.] DNSSEC, key, tag 57329, algorithm ECDSAP256SHA256, public, active
2023-11-24T16:56:17+0800 info [test6.com.] DNSSEC, signing started
2023-11-24T16:56:17+0800 info [test6.com.] DNSSEC, successfully signed
2023-11-24T16:56:17+0800 info [test6.com.] DNSSEC, next signing at 2023-11-24T17:06:17+0800
2023-11-24T16:56:17+0800 info [test6.com.] zone file updated, serial 2023110220 -> 2023110221
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, signing zone
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, key, tag 1419, algorithm ECDSAP256SHA256, KSK, public, active
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, key, tag 49356, algorithm ECDSAP256SHA256, KSK, public, active
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, key, tag 22177, algorithm ECDSAP256SHA256, public
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, key, tag 63370, algorithm ECDSAP256SHA256, public, active
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, signing started
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, successfully signed
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] DNSSEC, next signing at 2023-11-24T17:01:39+0800
2023-11-24T16:56:37+0800 info [volcdns-boe.com.] zone file updated, serial 2023112139 -> 2023112140
I think it should be due to the "template" that zone 2 did not use zone 1's ksk key. So how can I correctly achieve the purpose of ksk sharing ? I want all zones to use the same ksk. Looking forward to receiving your reply and suggestions.