[Opendnssec-develop] Making PropagationDelay interactive
sara at sinodun.com
Tue Jul 10 15:17:15 UTC 2012
Sion is leave at the moment so in the meantime, as looks like something we should investigate, I have created a ticket for it:
On 10 Jul 2012, at 11:09, Rick van Rein wrote:
> Hello Siôn,
> We're going to automate DS-uploads; as usual we'll be quite public
> about how this can be done. But I have a question, because we're
> assuming 2.0-ish behaviour that we'd like to patch into 1.x. We
> don't know the Enforcer completely, so here are some questions.
> 1. Are there no exceptions to this KSK maturation path?
> Generate -> publish DNSKEY -> Ready -> publish DS -> Active
> 2. Is it possible to set a future time in the "ready" column of
> dnsseckeys? If we do that, will the key automatically go to the
> ready state at some time after that setting, and pickup on further
> We'd prefer not to rely on some magic value of PropagationDelay, but
> wish to actually check until the authoritatives pickup on a new DNSKEY
> set, and if it does, report that back to the Enforcer; when that
> happens, we would want it to wait for TTL(DNSKEY) + PublishSafety
> before we would be hinted to publish the DS to the parent. This
> wait could be done by setting the "ready" timestamp to the current
> time plus the wait time.
> This enables elegant / simple scripting outside the Enforcer,
> mostly limited to the details of the local setup, and leave all
> the timing complexity and generic issues inside the Enforcer.
> And, it'd be "2.0 ready" scripting, so people can easily upgrade.
> If you think this makes no sense then please let us know :)
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
More information about the Opendnssec-develop