[Opendnssec-develop] Making PropagationDelay interactive

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jul 12 08:54:57 UTC 2012

Hash: SHA1

On 07/10/2012 12:09 PM, Rick van Rein wrote:
> Hello Siôn,
> We're going to automate DS-uploads; as usual we'll be quite public 
> about how this can be done.  But I have a question, because we're 
> assuming 2.0-ish behaviour that we'd like to patch into 1.x.  We 
> don't know the Enforcer completely, so here are some questions.
> 1. Are there no exceptions to this KSK maturation path? Generate ->
> publish DNSKEY -> Ready -> publish DS -> Active

Not in the enforcer, it only does KSK Double Signature Rollover. In
enforcer NG, there are of course different paths.

> 2. Is it possible to set a future time in the "ready" column of 
> dnsseckeys?  If we do that, will the key automatically go to the 
> ready state at some time after that setting, and pickup on further 
> actions?
> We'd prefer not to rely on some magic value of PropagationDelay,
> but wish to actually check until the authoritatives pickup on a new
> DNSKEY set, and if it does, report that back to the Enforcer; when
> that happens, we would want it to wait for TTL(DNSKEY) +
> PublishSafety before we would be hinted to publish the DS to the
> parent.  This wait could be done by setting the "ready" timestamp
> to the current time plus the wait time.
> This enables elegant / simple scripting outside the Enforcer, 
> mostly limited to the details of the local setup, and leave all the
> timing complexity and generic issues inside the Enforcer. And, it'd
> be "2.0 ready" scripting, so people can easily upgrade.
> If you think this makes no sense then please let us know :)
> Thanks, -Rick _______________________________________________ 
> Opendnssec-develop mailing list 
> Opendnssec-develop at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-develop mailing list