[Opendnssec-user] Changing policy for some domains

Berry van Halderen berry at nlnetlabs.nl
Tue Apr 20 09:17:51 UTC 2021

On 2021-04-20 10:45, Roman Serbski via Opendnssec-user wrote:
> OpenDNSSEC 2.1.8 running on FreeBSD 12.2-RELEASE-p2 serving ~80
> domains and using the default policy (algorithm 8) which still amazes
> me and my friends.
> We're moving towards algorithm 13 and the new policy has been created,
> so all newly created domains get signed with algorithm 13.
> My question is: how do I gradually migrate existing domains to a new
> policy?  According to
> https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-Changeapolicyconfiguration
> I can modify the default policy which will affect all of them.  But
> can I change the policy for certain domains only, or I will have to
> stop signing the domain, publish unsigned zone, wait and then add the
> domain to a new policy?

What should work, but haven't a test-case for it, is to use the 
set-policy from the enforcer.  Create a new policy in your kasp.xml with
all the same parameters, except from the new algorithm.  Then (re)import
the policy.  Then one be one move zones to the new policy.  You will 
to enforce the zones manually to ensure they start the rolling policy

Relevant commands:
   vi kasp.xml
   ods-enforcer policy import
   ods-enforcer zone set-policy -z example.com -p newpolicy
   ods-enforcer enforce -z example.com

One caveat to think of, I probably wouldn't use this on combined signing
keys (CSKs).

If possible test this first, we've used set-policy but not for this
specific case AFAIK.


More information about the Opendnssec-user mailing list