[Opendnssec-user] Changing policy for some domains
Berry van Halderen
berry at nlnetlabs.nl
Tue Apr 20 09:17:51 UTC 2021
On 2021-04-20 10:45, Roman Serbski via Opendnssec-user wrote:
> OpenDNSSEC 2.1.8 running on FreeBSD 12.2-RELEASE-p2 serving ~80
> domains and using the default policy (algorithm 8) which still amazes
> me and my friends.
> We're moving towards algorithm 13 and the new policy has been created,
> so all newly created domains get signed with algorithm 13.
> My question is: how do I gradually migrate existing domains to a new
> policy? According to
> I can modify the default policy which will affect all of them. But
> can I change the policy for certain domains only, or I will have to
> stop signing the domain, publish unsigned zone, wait and then add the
> domain to a new policy?
What should work, but haven't a test-case for it, is to use the
set-policy from the enforcer. Create a new policy in your kasp.xml with
all the same parameters, except from the new algorithm. Then (re)import
the policy. Then one be one move zones to the new policy. You will
to enforce the zones manually to ensure they start the rolling policy
ods-enforcer policy import
ods-enforcer zone set-policy -z example.com -p newpolicy
ods-enforcer enforce -z example.com
One caveat to think of, I probably wouldn't use this on combined signing
If possible test this first, we've used set-policy but not for this
specific case AFAIK.
More information about the Opendnssec-user