ds-push does not replace the DS RRset on parent
Knot 2.9.1 on Debian Stretch (installed from nic.cz packages)
policy: - id: rsa01 algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 ksk-lifetime: 5m zsk-lifetime: 2m dnskey-ttl: 10s propagation-delay: 5s zone-max-ttl: 15s ksk-submission: tt01 ds-push: knotmaster cds-cdnskey-publish: rollover
As described on the mailing list, I'm rolling the KSK every five minutes for testing, and I note that the DS RRset in the parent zone isn't being purged of old DS records.
DS push is designed the way that the DDNS to parent contains a removal of the whole DS rrset and an addition of the newest DS record. However, this does not work due to a bug.
I'm putting this here as a reminder.