[Opendnssec-user] Expected behavior when changing zone policy and problem with key generation
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Jul 28 08:02:41 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Sebastian,
> I had the zone running on the 'lab' policy and changed it to the
> 'default' policy. I *expected* that the zone would be reconfigured
> to the new timers etc.
Switching policies is not supported. When you do, there is no
guarantee your zone will be signed correctly. At least for some time
(depending on TTL)
> Is this expected behavior when changing policies? The keys for
> policy 'lab' and 'default' have the same algorithms and key
> lengths.
Yes it is. Keys are tight to policies.
> When adding the zone I noticed that no keys were generated for the
> zone:
OpenDNSSEC pre-generates keys for later use. Likely a formerly
generated but unused key was still available.
> I must say I find it a bit confusing which setting come from the
> XML files and which states are in the MySQL Database.
I agree.
Generally state resides in the database, policy in the xml (kasp.xml).
The kasp can be reloaded, however changing timing parameters is a
tricky thing. In real life the distinction between state and policy
isn't absolute.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlW3NyEACgkQI3PTR4mhavi4LQCgjc6NUnwDEBx+ibhae2BVhBLO
h2YAn3luouGIZDqGD4oAliNNZNOGRfiS
=SIp0
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list