[Opendnssec-develop] Making PropagationDelay interactive

Rick van Rein rick at openfortress.nl
Tue Jul 10 10:09:38 UTC 2012

Hello Siôn,

We're going to automate DS-uploads; as usual we'll be quite public
about how this can be done.  But I have a question, because we're
assuming 2.0-ish behaviour that we'd like to patch into 1.x.  We
don't know the Enforcer completely, so here are some questions.

1. Are there no exceptions to this KSK maturation path?
Generate -> publish DNSKEY -> Ready -> publish DS -> Active

2. Is it possible to set a future time in the "ready" column of
dnsseckeys?  If we do that, will the key automatically go to the
ready state at some time after that setting, and pickup on further

We'd prefer not to rely on some magic value of PropagationDelay, but
wish to actually check until the authoritatives pickup on a new DNSKEY
set, and if it does, report that back to the Enforcer; when that
happens, we would want it to wait for TTL(DNSKEY) + PublishSafety
before we would be hinted to publish the DS to the parent.  This
wait could be done by setting the "ready" timestamp to the current
time plus the wait time.

This enables elegant / simple scripting outside the Enforcer,
mostly limited to the details of the local setup, and leave all
the timing complexity and generic issues inside the Enforcer.  
And, it'd be "2.0 ready" scripting, so people can easily upgrade.

If you think this makes no sense then please let us know :)


More information about the Opendnssec-develop mailing list