Hi I have a opendnssec 1.4.6 setup with a KSK in a Yubikey NEO.
The Yubikey has limited space for keys, and the current p11 module doesn't support key generation, so I have a single KSK in the Yubikey and a second SoftHSM repository for ZSKs. I created my first zone example.net in policy "lab" and imported the KSK in the Yubikey like this: ods-ksmutil key import --cka_id 01 --repository YubiKeyNEO4PIV \ --bits 2048 --algorithm 8 --keystate active --keytype KSK \ --time 20260309 --zone example.net A ods-ksmutil key list --verbose shows me this (date and CKA_ID shortened to make it fit in e-mail): Keys: Zone: Keytype: State: Date: Size: Alg: CKA_ID: Repository: Keytag: example.net KSK active 2026 2048 8 01 YubiKeyNEO4PIV 10369 example.net ZSK active 2016 2048 8 85631b...2 SoftHSM 43338 When I was happy with it, I got my DS records published in the .net zone and after that I wanted to move the zone to policy default. Turns out, keys are secretly associated with policys for some reason, so opendnssec wanted to generate a new KSK but failed since the YubikeyNEO4PIV repository doesn't support key generation. I did not want to generate new KSKs. How should one go about moving a zone from one policy to another? Don't tell me how to do it in sqlite3, I've already figured that out ;). /Fredrik
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
