[Opendnssec-user] Changing policy for some domains

[Berry van Halderen]

On 2021-04-20 15:40, Roman Serbski via Opendnssec-user wrote:
> On Tue, Apr 20, 2021 at 11:17 AM Berry van Halderen 
> <berry at nlnetlabs.nl> wrote:
>> 
>> What should work, but haven't a test-case for it, is to use the
>> contributed
>> set-policy from the enforcer.  Create a new policy in your kasp.xml 
>> with
>> all the same parameters, except from the new algorithm.  Then 
>> (re)import
>> the policy.  Then one be one move zones to the new policy.  You will
>> have
>> to enforce the zones manually to ensure they start the rolling policy
>> probably.
>> 
>> Relevant commands:
>>    vi kasp.xml
>>    ods-enforcer policy import
>>    ods-enforcer zone set-policy -z example.com -p newpolicy
>>    ods-enforcer enforce -z example.com
>> 
>> One caveat to think of, I probably wouldn't use this on combined 
>> signing
>> keys (CSKs).
>> 
>> If possible test this first, we've used set-policy but not for this
>> specific case AFAIK.
> 
> Thank you Berry.
> 
> I tried the set-policy switch in the test environment and it worked,
> however I ended up with the zone with two sets of KSK/ZSKs (8 and 13).
> I'm not sure how to delete the one signed with 8 now.

Are you sure it is not in a roll yet?  Because an algorithm roll is
different from a normal roll and need to be kept in both until the
roll is complete.

> 'ods-enforcer zone delete' accepts --zone <zone> which will wipe out 
> both sets.
> 
> PS: By the way, this command (typed by mistake) made ods-enforcerd
> crash (exited on signal 6):

THx, I'll fix that.

> 
> And in the logs:
> 
> Apr 20 15:33:29 qsign-n01 ods-enforcer[2959]: stack overflow detected:
> terminated
> Apr 20 15:33:29 qsign-n01 kernel: pid 2959 (ods-enforcerd), jid 0, uid
> 0, exited on signal 6
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user