[Opendnssec-user] Changing policy for some domains
Michael Grimm
trashcan at ellael.org
Tue Apr 20 09:41:10 UTC 2021
Roman Serbski via Opendnssec-user <opendnssec-user at lists.opendnssec.org> wrote:
> OpenDNSSEC 2.1.8 running on FreeBSD 12.2-RELEASE-p2 serving ~80
> domains and using the default policy (algorithm 8) which still amazes
> me and my friends.
>
> We're moving towards algorithm 13 and the new policy has been created,
> so all newly created domains get signed with algorithm 13.
>
> My question is: how do I gradually migrate existing domains to a new
> policy? According to
> https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-Changeapolicyconfiguration
> I can modify the default policy which will affect all of them. But
> can I change the policy for certain domains only, or I will have to
> stop signing the domain, publish unsigned zone, wait and then add the
> domain to a new policy?
I did use this scheme and parts of Berry's remarks regarding domain per domain migration:
https://mail.sys4.de/pipermail/dane-users/2019-December/000539.html
After some initial testing with a test domain of mine I used this scheme for all remaining domains.
Regards,
Michael
More information about the Opendnssec-user
mailing list