[Opendnssec-user] Changing policy for some domains

Roman Serbski mefystofel at gmail.com
Tue Apr 20 08:45:12 UTC 2021


Hello,

OpenDNSSEC 2.1.8 running on FreeBSD 12.2-RELEASE-p2 serving ~80
domains and using the default policy (algorithm 8) which still amazes
me and my friends.

We're moving towards algorithm 13 and the new policy has been created,
so all newly created domains get signed with algorithm 13.

My question is: how do I gradually migrate existing domains to a new
policy?  According to
https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-Changeapolicyconfiguration
I can modify the default policy which will affect all of them.  But
can I change the policy for certain domains only, or I will have to
stop signing the domain, publish unsigned zone, wait and then add the
domain to a new policy?

Thank you.


More information about the Opendnssec-user mailing list