[Opendnssec-user] Changing policy for some domains
Roman Serbski
mefystofel at gmail.com
Tue Apr 20 13:40:12 UTC 2021
On Tue, Apr 20, 2021 at 11:17 AM Berry van Halderen <berry at nlnetlabs.nl> wrote:
>
> What should work, but haven't a test-case for it, is to use the
> contributed
> set-policy from the enforcer. Create a new policy in your kasp.xml with
> all the same parameters, except from the new algorithm. Then (re)import
> the policy. Then one be one move zones to the new policy. You will
> have
> to enforce the zones manually to ensure they start the rolling policy
> probably.
>
> Relevant commands:
> vi kasp.xml
> ods-enforcer policy import
> ods-enforcer zone set-policy -z example.com -p newpolicy
> ods-enforcer enforce -z example.com
>
> One caveat to think of, I probably wouldn't use this on combined signing
> keys (CSKs).
>
> If possible test this first, we've used set-policy but not for this
> specific case AFAIK.
Thank you Berry.
I tried the set-policy switch in the test environment and it worked,
however I ended up with the zone with two sets of KSK/ZSKs (8 and 13).
I'm not sure how to delete the one signed with 8 now.
'ods-enforcer zone delete' accepts --zone <zone> which will wipe out both sets.
PS: By the way, this command (typed by mistake) made ods-enforcerd
crash (exited on signal 6):
ods-enforcer key purge --zone example.com --policy default
too many arguments
[Remote closed connection]
And in the logs:
Apr 20 15:33:29 qsign-n01 ods-enforcer[2959]: stack overflow detected:
terminated
Apr 20 15:33:29 qsign-n01 kernel: pid 2959 (ods-enforcerd), jid 0, uid
0, exited on signal 6
More information about the Opendnssec-user
mailing list