[Opendnssec-develop] Enforcer NG

René Post rene at xpt.nl
Thu Sep 15 07:16:44 UTC 2011

On Sep 14, 2011, at 6:18 PM, Rickard Bellgrim wrote:

> Hi
> It is now ready for an alpha release. Only have some comments that we
> might save for later:
> - I would like to have the --keytype mandatory for the "key rollover".
> It is a change of behavior, but it is so easy to do something wrong
> here.

This means that rolling all keys is not possible anymore with a single command.
Assuming that is not a problem, I'll change it.

> - "key list" says that the DS is rumoured, "key export" exports the
> key, but "ds-submit" does not say anything.

The key is probably already in submitted state. If you configured 
a DelegationSignerSubmitCommand then this program was 
started as the key transitioned from uncommited to submit.
If the program  was started successfully then the key will make
the transition to submitted and no longer shows up when you 
perform a 'key ds-submit' it will however show up when you do a
'key ds-seen' as that command shows the keys that are in 'submitted' 
state waiting to be marked as 'seen'.

When you perform a 'key export' the state has to be either submit
or submitted (or retract / retracted). I allow the re-export of a submitted key to 
handle the situation where a key "got lost in transit" on its way to the parent.
Whenever a key is exported and is still in submit state, the key will then also
transition to submitted state. Calling 'key ds-submit' will only show the keys
that are in submit state and have never been submtited to the parent either 
via 'key export' or automatically via the DelegationSignerSubmitCommand.


More information about the Opendnssec-develop mailing list