[Opendnssec-user] Changing policy for some domains

Michael Grimm trashcan at ellael.org
Tue Apr 20 09:41:10 UTC 2021

Roman Serbski via Opendnssec-user <opendnssec-user at lists.opendnssec.org> wrote:

> OpenDNSSEC 2.1.8 running on FreeBSD 12.2-RELEASE-p2 serving ~80
> domains and using the default policy (algorithm 8) which still amazes
> me and my friends.
> We're moving towards algorithm 13 and the new policy has been created,
> so all newly created domains get signed with algorithm 13.
> My question is: how do I gradually migrate existing domains to a new
> policy?  According to
> https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-Changeapolicyconfiguration
> I can modify the default policy which will affect all of them.  But
> can I change the policy for certain domains only, or I will have to
> stop signing the domain, publish unsigned zone, wait and then add the
> domain to a new policy?

I did use this scheme and parts of Berry's remarks regarding domain per domain migration:


After some initial testing with a test domain of mine I used this scheme for all remaining domains.


More information about the Opendnssec-user mailing list