Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
rm /var/opendnssec/enforcer/zones.xml
rm /var/opendnssec/signconf/*
rm /var/opendnssec/signer/*
ods-enforcer-db-setup

Stop using DNSSEC for a zone

If it is no longer desired to sign a zone, OpenDNSSEC can help to stop signing in a safe way. The zone will become insecure without running the risk of some validators to see a bogus zone. The way to do it is to configure no keys in its policy. The Enforcer will then retract the current keys as soon as possible.

For example

Code Block
languagexml
titlekasp.xml
<Keys>
	<TTL>PT3600S</TTL>
	<RetireSafety>PT3600S</RetireSafety>
	<PublishSafety>PT3600S</PublishSafety>
	<Purge>P14D</Purge>
	<KSK>
		<Algorithm length="2048">8</Algorithm>
		<Lifetime>P1Y</Lifetime>
		<Repository>SoftHSM</Repository>
	</KSK>
	<ZSK>
		<Algorithm length="1024">8</Algorithm>
		<Lifetime>P90D</Lifetime>
		<Repository>SoftHSM</Repository>
	</ZSK>
</Keys>

Will become

Code Block
languagexml
titlekasp.xml
<Keys>
	<TTL>PT3600S</TTL>
	<RetireSafety>PT3600S</RetireSafety>
	<PublishSafety>PT3600S</PublishSafety>
	<Purge>P14D</Purge>
</Keys>

After this you must instruct the Enforcer to reread the policy.