[Opendnssec-develop] The ds-* commands in Enforcer NG

Yuri Schaeffer yuri at NLnetLabs.nl
Mon Sep 12 11:39:47 UTC 2011

> I noticed that two new commands has been added to Enforcer NG, "key
> ds-retract" and "key ds-gone". Are those needed? For the purpose of
> DNSSEC, it does not matter if you have old DS RRs in the parent zone.

Having a DS RR in the parent zone for an algorithm not (any longer)
available at the child is a configuration error. The enforcer must know
the DS is really gone before proceeding to outroduce the DNSKEYs.

> As long as you have one valid DS. So we do not need to track the old
> DS RRs. It is implicit that the user remove the old DS RR, because its
> DNSKEY is not included in the "key export" or in the DSSubmitCommand.

I think you are proposing a UI change.

key ds-submit must:
- list keys that are to be submitted
- list keys that are already submitted
- list keys that are already seen
- not list any other keys

key ds-seen <zone> <key> must:
- mark the appropriate key as 'seen'
- implicitly mark all keys waiting for retract as 'gone'

Is this what you are implying? It seems rather unsafe to me.

Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list