[Opendnssec-user] Changing policy for some domains

Havard Eidnes he at uninett.no
Fri Apr 23 11:52:56 UTC 2021

> What should work, but haven't a test-case for it, is to use the
> contributed set-policy from the enforcer.  Create a new policy
> in your kasp.xml with all the same parameters, except from the
> new algorithm.  Then (re)import the policy.  Then one be one
> move zones to the new policy.  You will have to enforce the
> zones manually to ensure they start the rolling policy
> probably.
> Relevant commands:
>   vi kasp.xml
>   ods-enforcer policy import
>   ods-enforcer zone set-policy -z example.com -p newpolicy
>   ods-enforcer enforce -z example.com
> One caveat to think of, I probably wouldn't use this on
> combined signing keys (CSKs).
> If possible test this first, we've used set-policy but not for
> this specific case AFAIK.

Hmm, this probably means that the wiki page at


with the notice

   Once a zone is signed, changes to the algorithm require a
   rollover which is not currently handled by OpenDNSSEC. Attempts
   to change the algorithm on a policy will result in a warning
   message and a request for confirmation.

needs an update?  In particular it would seem that "is not
currently handled by OpenDNSSEC" is no longer true?

Also, this section doesn't mention the "length" parameter, and
whether it is mandatory.  As I understand it, the ECDSA
algorithms have an implied key length, but I suspect OpenDNSSEC
still insists you supply this field when specifying those

Me myself, I'm struggling with getting OpenDNSSEC to accept my
new dual-policy kasp.xml file, it keeps saying

error: Unable to validate '/usr/pkg/etc/opendnssec/kasp.xml' consistency.

when I do "ods-enforcer update all", and there's not much
information in the log either, at log level 5, so I'm scratching
my head because, once again, OpenDNSSEC doesn't really provide
operator-friendly error messages, pointing to the specific
detail which is wrong, it just says "Nope!".

Well...  Re-tried with "ods-enforcer policy import", and got the
somewhat more helpful

Unable to validate the KASP XML, please run ods-kaspcheck for more details!

and that gave me

INFO: The XML in /usr/pkg/etc/opendnssec/conf.xml is valid
INFO: The XML in /usr/pkg/etc/opendnssec/kasp.xml is valid
ERROR: ZSK with algorithm 14 not found, algorithm mismatch between ZSK and KSK
INFO: The XML in /usr/pkg/etc/opendnssec/zonelist.xml is valid

So ... I tried specifying algorithm 14 (ECDSA P-384) for KSK with
a 1 year rotation, and algorithm 13 (ECDSA P-256) for ZSK with a
1 month rotation.  Isn't that supposed to be supported?  Or is
there something in the protocol specification which says that you
must have the same algorithm for KSK and ZSK? (I didn't think so.)


- Håvard

More information about the Opendnssec-user mailing list