On 2021-04-20 15:40, Roman Serbski via Opendnssec-user wrote:
On Tue, Apr 20, 2021 at 11:17 AM Berry van Halderen
<be...@nlnetlabs.nl> wrote:
What should work, but haven't a test-case for it, is to use the
contributed
set-policy from the enforcer. Create a new policy in your kasp.xml
with
all the same parameters, except from the new algorithm. Then
(re)import
the policy. Then one be one move zones to the new policy. You will
have
to enforce the zones manually to ensure they start the rolling policy
probably.
Relevant commands:
vi kasp.xml
ods-enforcer policy import
ods-enforcer zone set-policy -z example.com -p newpolicy
ods-enforcer enforce -z example.com
One caveat to think of, I probably wouldn't use this on combined
signing
keys (CSKs).
If possible test this first, we've used set-policy but not for this
specific case AFAIK.
Thank you Berry.
I tried the set-policy switch in the test environment and it worked,
however I ended up with the zone with two sets of KSK/ZSKs (8 and 13).
I'm not sure how to delete the one signed with 8 now.
Are you sure it is not in a roll yet? Because an algorithm roll is
different from a normal roll and need to be kept in both until the
roll is complete.
'ods-enforcer zone delete' accepts --zone <zone> which will wipe out
both sets.
PS: By the way, this command (typed by mistake) made ods-enforcerd
crash (exited on signal 6):
THx, I'll fix that.
And in the logs:
Apr 20 15:33:29 qsign-n01 ods-enforcer[2959]: stack overflow detected:
terminated
Apr 20 15:33:29 qsign-n01 kernel: pid 2959 (ods-enforcerd), jid 0, uid
0, exited on signal 6
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
