[Opendnssec-user] moving zone from lab to default
Fredrik Thulin
fredrik at thulin.net
Thu Mar 31 08:44:16 UTC 2016
On Thursday, March 31, 2016 10:25:52 AM Yuri Schaeffer wrote:
> Hi Fredrik,
>
> > When I was happy with it, I got my DS records published in the .net zone
> > and after that I wanted to move the zone to policy default. Turns out,
> > keys are secretly associated with policys for some reason, so opendnssec
> > wanted to generate a new KSK but failed since the YubikeyNEO4PIV
> > repository doesn't support key generation. I did not want to generate
> > new KSKs.
>
> As far as I know OpenDNSSEC 1.x does not support this kind of operation.
> Keys are linked to a policy since the policy dictates their parameters
> and more important lifetime and TTL's.
Thank you for the quick response. It would have been easier to understand that
if "ods-ksmutil key import" took a --policy rather than --zone.
Does <ShareKeys/> span policys? How come ShareKeys appears to be a setting for
all keys of all types, and not a setting per repository or key-type?
/Fredrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160331/c6ccbcf3/attachment.htm>
More information about the Opendnssec-user
mailing list