-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Sebastian,
> I had the zone running on the 'lab' policy and changed it to the > 'default' policy. I *expected* that the zone would be reconfigured > to the new timers etc. Switching policies is not supported. When you do, there is no guarantee your zone will be signed correctly. At least for some time (depending on TTL) > Is this expected behavior when changing policies? The keys for > policy 'lab' and 'default' have the same algorithms and key > lengths. Yes it is. Keys are tight to policies. > When adding the zone I noticed that no keys were generated for the > zone: OpenDNSSEC pre-generates keys for later use. Likely a formerly generated but unused key was still available. > I must say I find it a bit confusing which setting come from the > XML files and which states are in the MySQL Database. I agree. Generally state resides in the database, policy in the xml (kasp.xml). The kasp can be reloaded, however changing timing parameters is a tricky thing. In real life the distinction between state and policy isn't absolute. //Yuri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlW3NyEACgkQI3PTR4mhavi4LQCgjc6NUnwDEBx+ibhae2BVhBLO h2YAn3luouGIZDqGD4oAliNNZNOGRfiS =SIp0 -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
