Roman Serbski via Opendnssec-user <opendnssec-user@lists.opendnssec.org> wrote:
> OpenDNSSEC 2.1.8 running on FreeBSD 12.2-RELEASE-p2 serving ~80 > domains and using the default policy (algorithm 8) which still amazes > me and my friends. > > We're moving towards algorithm 13 and the new policy has been created, > so all newly created domains get signed with algorithm 13. > > My question is: how do I gradually migrate existing domains to a new > policy? According to > https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-Changeapolicyconfiguration > I can modify the default policy which will affect all of them. But > can I change the policy for certain domains only, or I will have to > stop signing the domain, publish unsigned zone, wait and then add the > domain to a new policy? I did use this scheme and parts of Berry's remarks regarding domain per domain migration: https://mail.sys4.de/pipermail/dane-users/2019-December/000539.html After some initial testing with a test domain of mine I used this scheme for all remaining domains. Regards, Michael _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
