[Opendnssec-develop] Enforcer NG testing
Rickard Bellgrim
rickard at opendnssec.org
Tue Aug 30 07:58:41 UTC 2011
Hi
I have been sending René and Yuri my test results. This is a summery
of the findings.
Things that needs to be automated:
- Key generation
- Enforcing
- Signconf
- Setting the ds-submit flag
- NSEC3-resalting
ds-submit
- Only show the KSK and CSK, not ZSK
- Remove the command arguments. The user should only be able to list the flags.
- Perhaps only show keys that have the ds-submit set and not having
the ds-seen set. Thus minimizing the number of keys shown.
hsm key gen:
- Should be able to set a time period of which we generate keys for
Signer configuration:
- I previously said that the KSK was marked as active, but the key
list said not. Ignore this, I think it is the correct behaviour. The
KSK tag is set when the RRSIGDNSKEY is rumoured or omnipresent, right?
key list:
- A KSK with DS, DNSKEY, and RRSIGDNSKEY marked as omnipresent does
not get marked as active
Error messages when starting fresh:
- will give error messages when start on a fresh system. Fresh == no pb-files.
key export:
- Export keys as DNSKEY and DS.
- Should send the keys of which there should be a DS in the parent zone.
- ods-ksmutil key export --zone <name> --ds
- ods-ksmutil key export --zone <name>
<DelegationSignerSubmitCommand>
- The tag is implemented but never run by the Enforcer.
- src/keystate/keystate_ds_submit_task.cpp:280:keystate_ds_submit_task_perform(task_type
*task)
// Rickard
More information about the Opendnssec-develop
mailing list