[Opendnssec-user] moving zone from lab to default
Fredrik Thulin
fredrik at thulin.net
Thu Mar 31 07:36:47 UTC 2016
Hi
I have a opendnssec 1.4.6 setup with a KSK in a Yubikey NEO.
The Yubikey has limited space for keys, and the current p11 module doesn't
support key generation, so I have a single KSK in the Yubikey and a second
SoftHSM repository for ZSKs.
I created my first zone example.net in policy "lab" and imported the KSK in
the Yubikey like this:
ods-ksmutil key import --cka_id 01 --repository YubiKeyNEO4PIV \
--bits 2048 --algorithm 8 --keystate active --keytype KSK \
--time 20260309 --zone example.net
A ods-ksmutil key list --verbose shows me this (date and CKA_ID shortened to
make it fit in e-mail):
Keys:
Zone: Keytype: State: Date: Size: Alg: CKA_ID: Repository: Keytag:
example.net KSK active 2026 2048 8 01 YubiKeyNEO4PIV 10369
example.net ZSK active 2016 2048 8 85631b...2 SoftHSM 43338
When I was happy with it, I got my DS records published in the .net zone and
after that I wanted to move the zone to policy default. Turns out, keys are
secretly associated with policys for some reason, so opendnssec wanted to
generate a new KSK but failed since the YubikeyNEO4PIV repository doesn't
support key generation. I did not want to generate new KSKs.
How should one go about moving a zone from one policy to another? Don't tell
me how to do it in sqlite3, I've already figured that out ;).
/Fredrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160331/21cbc2da/attachment.htm>
More information about the Opendnssec-user
mailing list