[Opendnssec-develop] ds-seen details

sion at nominet.org.uk sion at nominet.org.uk
Tue Nov 24 09:06:04 UTC 2009


There has been a bit of a discussion on pivotal about the details of how
the ds-seen command. As I imagine that not so many people are keeping up
with it I'll summarise it here in case anyone has any ideas...

what it comes down to is when we think the ds-seen command should be
issued.

I have implemented a command that should be run when you want the KSK to
roll, so what happens is:

1) Key reaches retirement, and the system starts prompting (via syslog) for
the DS record of the new key to be submitted.
2) When the DS is submitted and seen in the DNS the rollover happens in
response to the "ds-seen" command.

The alternative is that:

1) The user issues the ds-seen command at any time, on any key. This marks
the key as having been "seen".
2) When the current key reaches retirement, provided that there is a key in
the ready state that has been marked as "seen", then the rollover will
continue automatically.

This second scheme requires maybe one days work to write and test a bit. So
my question is which scheme do people prefer?

What we could do is rename the current command as "ksk-roll" which is a
more accurate description of what it does, and add the alternate scheme for
v1.1. This way you can work with either scheme.

Sion




More information about the Opendnssec-develop mailing list