[Opendnssec-develop] ds-seen details

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 24 09:49:53 UTC 2009

Hash: SHA256

> 1) Key reaches retirement, and the system starts prompting (via syslog)
> for
> the DS record of the new key to be submitted.
> 2) When the DS is submitted and seen in the DNS the rollover happens in
> response to the "ds-seen" command.

What I saw was that you could not do this on a standby key without forcing a rollover. But maybe this was not a requirement.

> The alternative is that:
> 1) The user issues the ds-seen command at any time, on any key. This
> marks
> the key as having been "seen".
> 2) When the current key reaches retirement, provided that there is a
> key in
> the ready state that has been marked as "seen", then the rollover will
> continue automatically.

Remembering the discussion about having a tool which synchronizes DS records in the parent with the KSK key set. This scheme would be a good interface for such a tool.

> This second scheme requires maybe one days work to write and test a
> bit. So
> my question is which scheme do people prefer?

I would prefer the second scheme, but as you say, it require some more changes to the code.

> What we could do is rename the current command as "ksk-roll" which is a
> more accurate description of what it does, and add the alternate scheme
> for
> v1.1. This way you can work with either scheme.

Just so it is clear for the user on how to do a KSK rollover (if we are going to keep the first schema). E.g.

ods-ksmutil key rollover --zone example.com --keytype KSK
(upload new DS to parent)
ods-ksmutil key ksk-roll --zone example.com --keytag 12345

Just to remember: The key rollovers are something that OpenDNSSEC should be good at. Maybe so important that it must be solved before v1.0.

// Rickard

Version: 9.8.3 (Build 4028)
Charset: utf-8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091124/0eecbfdf/attachment.htm>

More information about the Opendnssec-develop mailing list