[Opendnssec-user] What should happen when you change the policy for a zone

Sebastian Castro sebastian at nzrs.net.nz
Wed Jan 19 22:28:04 UTC 2011

Good day,

This is a test we run in our testing environment, which uses Manual
Rollovers and Key Generation.

We had a zone called 'example.com' using a policy called 'default'. Main
facts about this policy:

KSK, 1024-bits key, 5D lifetime
ZSK, 1024-bits key, 2D lifetime

On Jan 12 we changed the policy to 'test-pol1', which has the same
definition for ZSK and KSK as 'default'.

The change was executed by editing the zonelist.xml file, replacing the
policy name and then call 'ods-ksmutil update zonelist'

Starting from that point, KSK rollover continued to work properly but
ZSK rollovers stop working. You will find attached the history of KSK
and ZSK for the zone.

A 'ods-ksmutil rollover list' shows

/usr/local/opendnssec/bin/ods-ksmutil rollover list --zone example.com
Date: Thu Jan 20 10:34:58 2011
SQLite database set to: /var/opendnssec/kasp.db
Zone:                           Keytype:      Rollover expected:
example.com                     ZSK           2011-01-13 17:28:22
example.com                     KSK           2011-01-22 13:14:46

We have tried the rollover manually many times, but no error message (or
rollover) is produced.

Back to the original subject: This test should work or not? Is
OpenDNSSEC prepared for a policy change for a zone?

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com-KSK-history.txt
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110120/29560e65/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: example.com-ZSK-history.txt
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110120/29560e65/attachment-0001.txt>

More information about the Opendnssec-user mailing list