[Opendnssec-user] Changing policy for some domains

Roman Serbski mefystofel at gmail.com
Tue Apr 20 13:40:12 UTC 2021

On Tue, Apr 20, 2021 at 11:17 AM Berry van Halderen <berry at nlnetlabs.nl> wrote:
> What should work, but haven't a test-case for it, is to use the
> contributed
> set-policy from the enforcer.  Create a new policy in your kasp.xml with
> all the same parameters, except from the new algorithm.  Then (re)import
> the policy.  Then one be one move zones to the new policy.  You will
> have
> to enforce the zones manually to ensure they start the rolling policy
> probably.
> Relevant commands:
>    vi kasp.xml
>    ods-enforcer policy import
>    ods-enforcer zone set-policy -z example.com -p newpolicy
>    ods-enforcer enforce -z example.com
> One caveat to think of, I probably wouldn't use this on combined signing
> keys (CSKs).
> If possible test this first, we've used set-policy but not for this
> specific case AFAIK.

Thank you Berry.

I tried the set-policy switch in the test environment and it worked,
however I ended up with the zone with two sets of KSK/ZSKs (8 and 13).
I'm not sure how to delete the one signed with 8 now.

'ods-enforcer zone delete' accepts --zone <zone> which will wipe out both sets.

PS: By the way, this command (typed by mistake) made ods-enforcerd
crash (exited on signal 6):

ods-enforcer key purge --zone example.com --policy default
too many arguments
[Remote closed connection]

And in the logs:

Apr 20 15:33:29 qsign-n01 ods-enforcer[2959]: stack overflow detected:
Apr 20 15:33:29 qsign-n01 kernel: pid 2959 (ods-enforcerd), jid 0, uid
0, exited on signal 6

More information about the Opendnssec-user mailing list