> What should work, but haven't a test-case for it, is to use the > contributed set-policy from the enforcer. Create a new policy > in your kasp.xml with all the same parameters, except from the > new algorithm. Then (re)import the policy. Then one be one > move zones to the new policy. You will have to enforce the > zones manually to ensure they start the rolling policy > probably. > > Relevant commands: > vi kasp.xml > ods-enforcer policy import > ods-enforcer zone set-policy -z example.com -p newpolicy > ods-enforcer enforce -z example.com > > One caveat to think of, I probably wouldn't use this on > combined signing keys (CSKs). > > If possible test this first, we've used set-policy but not for > this specific case AFAIK.
Hmm, this probably means that the wiki page at https://wiki.opendnssec.org/display/DOCS/kasp.xml with the notice Once a zone is signed, changes to the algorithm require a rollover which is not currently handled by OpenDNSSEC. Attempts to change the algorithm on a policy will result in a warning message and a request for confirmation. needs an update? In particular it would seem that "is not currently handled by OpenDNSSEC" is no longer true? Also, this section doesn't mention the "length" parameter, and whether it is mandatory. As I understand it, the ECDSA algorithms have an implied key length, but I suspect OpenDNSSEC still insists you supply this field when specifying those algorithms? Me myself, I'm struggling with getting OpenDNSSEC to accept my new dual-policy kasp.xml file, it keeps saying error: Unable to validate '/usr/pkg/etc/opendnssec/kasp.xml' consistency. when I do "ods-enforcer update all", and there's not much information in the log either, at log level 5, so I'm scratching my head because, once again, OpenDNSSEC doesn't really provide operator-friendly error messages, pointing to the specific detail which is wrong, it just says "Nope!". Well... Re-tried with "ods-enforcer policy import", and got the somewhat more helpful Unable to validate the KASP XML, please run ods-kaspcheck for more details! and that gave me INFO: The XML in /usr/pkg/etc/opendnssec/conf.xml is valid INFO: The XML in /usr/pkg/etc/opendnssec/kasp.xml is valid ERROR: ZSK with algorithm 14 not found, algorithm mismatch between ZSK and KSK INFO: The XML in /usr/pkg/etc/opendnssec/zonelist.xml is valid So ... I tried specifying algorithm 14 (ECDSA P-384) for KSK with a 1 year rotation, and algorithm 13 (ECDSA P-256) for ZSK with a 1 month rotation. Isn't that supposed to be supported? Or is there something in the protocol specification which says that you must have the same algorithm for KSK and ZSK? (I didn't think so.) Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
