On Tue, Apr 20, 2021 at 11:17 AM Berry van Halderen <[email protected]> wrote: > > What should work, but haven't a test-case for it, is to use the > contributed > set-policy from the enforcer. Create a new policy in your kasp.xml with > all the same parameters, except from the new algorithm. Then (re)import > the policy. Then one be one move zones to the new policy. You will > have > to enforce the zones manually to ensure they start the rolling policy > probably. > > Relevant commands: > vi kasp.xml > ods-enforcer policy import > ods-enforcer zone set-policy -z example.com -p newpolicy > ods-enforcer enforce -z example.com > > One caveat to think of, I probably wouldn't use this on combined signing > keys (CSKs). > > If possible test this first, we've used set-policy but not for this > specific case AFAIK.
Thank you Berry. I tried the set-policy switch in the test environment and it worked, however I ended up with the zone with two sets of KSK/ZSKs (8 and 13). I'm not sure how to delete the one signed with 8 now. 'ods-enforcer zone delete' accepts --zone <zone> which will wipe out both sets. PS: By the way, this command (typed by mistake) made ods-enforcerd crash (exited on signal 6): ods-enforcer key purge --zone example.com --policy default too many arguments [Remote closed connection] And in the logs: Apr 20 15:33:29 qsign-n01 ods-enforcer[2959]: stack overflow detected: terminated Apr 20 15:33:29 qsign-n01 kernel: pid 2959 (ods-enforcerd), jid 0, uid 0, exited on signal 6 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
