[Opendnssec-user] Changing policy for some domains
Berry van Halderen
berry at nlnetlabs.nl
Tue Apr 20 13:45:09 UTC 2021
On 2021-04-20 15:40, Roman Serbski via Opendnssec-user wrote:
> On Tue, Apr 20, 2021 at 11:17 AM Berry van Halderen
> <berry at nlnetlabs.nl> wrote:
>> What should work, but haven't a test-case for it, is to use the
>> set-policy from the enforcer. Create a new policy in your kasp.xml
>> all the same parameters, except from the new algorithm. Then
>> the policy. Then one be one move zones to the new policy. You will
>> to enforce the zones manually to ensure they start the rolling policy
>> Relevant commands:
>> vi kasp.xml
>> ods-enforcer policy import
>> ods-enforcer zone set-policy -z example.com -p newpolicy
>> ods-enforcer enforce -z example.com
>> One caveat to think of, I probably wouldn't use this on combined
>> keys (CSKs).
>> If possible test this first, we've used set-policy but not for this
>> specific case AFAIK.
> Thank you Berry.
> I tried the set-policy switch in the test environment and it worked,
> however I ended up with the zone with two sets of KSK/ZSKs (8 and 13).
> I'm not sure how to delete the one signed with 8 now.
Are you sure it is not in a roll yet? Because an algorithm roll is
different from a normal roll and need to be kept in both until the
roll is complete.
> 'ods-enforcer zone delete' accepts --zone <zone> which will wipe out
> both sets.
> PS: By the way, this command (typed by mistake) made ods-enforcerd
> crash (exited on signal 6):
THx, I'll fix that.
> And in the logs:
> Apr 20 15:33:29 qsign-n01 ods-enforcer: stack overflow detected:
> Apr 20 15:33:29 qsign-n01 kernel: pid 2959 (ods-enforcerd), jid 0, uid
> 0, exited on signal 6
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
More information about the Opendnssec-user