[Opendnssec-develop] DelegationSignerSubmitCommand

Sion Lloyd sion at nominet.org.uk
Tue Dec 7 11:49:33 UTC 2010


I have a story in pivotal about the records that should be passed to the 

Currently we pass all the keys that are in use at the time that the command is 
called; including the old key.

As the story states this is not following our stated rollover scheme as the 
old DS should be removed from the parent when the new one is introduced.

The problem with not passing the old key is that if the "--no-retire" flag is 
issued to the ds-seen command then the key will be left in the zone but the DS 
will get removed... But when the DelegationSignerSubmitCommand is called we do 
not know if this flag will be used or not...

So the question is, what shoud we do?

1) Pass all records and let the user remove the ones they don't want?
2) Pass just the new record and if the user wants the old one also they have 
to dig it out themselves?
3) Call DelegationSignerSubmitCommand again when ds-seen is run?
4) Something else?

My first feeling was for (1) as it is easier to drop a record than to produce 
it. Then I thought (2) as it is consistent with the rollover scheme that we 
are using... Any ideas?



More information about the Opendnssec-develop mailing list