[Opendnssec-develop] The ds-* commands in Enforcer NG
yuri at NLnetLabs.nl
Mon Sep 12 11:39:47 UTC 2011
> I noticed that two new commands has been added to Enforcer NG, "key
> ds-retract" and "key ds-gone". Are those needed? For the purpose of
> DNSSEC, it does not matter if you have old DS RRs in the parent zone.
Having a DS RR in the parent zone for an algorithm not (any longer)
available at the child is a configuration error. The enforcer must know
the DS is really gone before proceeding to outroduce the DNSKEYs.
> As long as you have one valid DS. So we do not need to track the old
> DS RRs. It is implicit that the user remove the old DS RR, because its
> DNSKEY is not included in the "key export" or in the DSSubmitCommand.
I think you are proposing a UI change.
key ds-submit must:
- list keys that are to be submitted
- list keys that are already submitted
- list keys that are already seen
- not list any other keys
key ds-seen <zone> <key> must:
- mark the appropriate key as 'seen'
- implicitly mark all keys waiting for retract as 'gone'
Is this what you are implying? It seems rather unsafe to me.
More information about the Opendnssec-develop