[Opendnssec-user] Expected behavior when changing zone policy and problem with key generation

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Jul 28 08:02:41 UTC 2015

Hash: SHA1

Hi Sebastian,

> I had the zone running on the 'lab' policy and changed it to the 
> 'default' policy. I *expected* that the zone would be reconfigured
> to the new timers etc.

Switching policies is not supported. When you do, there is no
guarantee your zone will be signed correctly. At least for some time
(depending on TTL)

> Is this expected behavior when changing policies? The keys for
> policy 'lab' and 'default' have the same algorithms and key
> lengths.

Yes it is. Keys are tight to policies.

> When adding the zone I noticed that no keys were generated for the 
> zone:

OpenDNSSEC pre-generates keys for later use. Likely a formerly
generated but unused key was still available.

> I must say I find it a bit confusing which setting come from the
> XML files and which states are in the MySQL Database.

I agree.
Generally state resides in the database, policy in the xml (kasp.xml).
The kasp can be reloaded, however changing timing parameters is a
tricky thing. In real life the distinction between state and policy
isn't absolute.

Version: GnuPG v2


More information about the Opendnssec-user mailing list