[Opendnssec-develop] ds-seen details
Rickard Bellgrim
rickard.bellgrim at iis.se
Tue Nov 24 09:49:53 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> 1) Key reaches retirement, and the system starts prompting (via syslog)
> for
> the DS record of the new key to be submitted.
> 2) When the DS is submitted and seen in the DNS the rollover happens in
> response to the "ds-seen" command.
What I saw was that you could not do this on a standby key without forcing a rollover. But maybe this was not a requirement.
> The alternative is that:
>
> 1) The user issues the ds-seen command at any time, on any key. This
> marks
> the key as having been "seen".
> 2) When the current key reaches retirement, provided that there is a
> key in
> the ready state that has been marked as "seen", then the rollover will
> continue automatically.
Remembering the discussion about having a tool which synchronizes DS records in the parent with the KSK key set. This scheme would be a good interface for such a tool.
> This second scheme requires maybe one days work to write and test a
> bit. So
> my question is which scheme do people prefer?
I would prefer the second scheme, but as you say, it require some more changes to the code.
> What we could do is rename the current command as "ksk-roll" which is a
> more accurate description of what it does, and add the alternate scheme
> for
> v1.1. This way you can work with either scheme.
Just so it is clear for the user on how to do a KSK rollover (if we are going to keep the first schema). E.g.
ods-ksmutil key rollover --zone example.com --keytype KSK
(upload new DS to parent)
ods-ksmutil key ksk-roll --zone example.com --keytag 12345
Just to remember: The key rollovers are something that OpenDNSSEC should be good at. Maybe so important that it must be solved before v1.0.
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSwusQeCjgaNTdVjaAQiq1wf/QKCkp6Dlw9eaBShWs6m0YboXarcnhNJx
wX2tE/qOc458bSiUnhhC7Av1TnVnxcxaylUgI4boS26TewSafp4uAVte9K/82fwq
Sp5Uevwj/7VhbwbqyM5ttJXdVsoNZ7wfSA+pRwCN7f12eCGqxxu89MIlzNH2jkB/
61/Z7tC8BNgdedUYj4t0bbcMVI73MqaNCm2XGV2OhbviG2EJQYZRdDzjjAYJw5bc
0g9MN+31g7cv6nEf5oOQxs3VyBpa3Pm7LpPO1nWsHJ+EMgnvxnybJV9ae/3T1k3e
7czBF+o9fnDQzSJ2HJqk8sn62QpXnZdug7MdHTv8mIfMce3tcnYCzg==
=quPj
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091124/0eecbfdf/attachment.htm>
More information about the Opendnssec-develop
mailing list