[Opendnssec-develop] Making PropagationDelay interactive
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jul 12 08:54:57 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/10/2012 12:09 PM, Rick van Rein wrote:
> Hello Siôn,
>
> We're going to automate DS-uploads; as usual we'll be quite public
> about how this can be done. But I have a question, because we're
> assuming 2.0-ish behaviour that we'd like to patch into 1.x. We
> don't know the Enforcer completely, so here are some questions.
>
> 1. Are there no exceptions to this KSK maturation path? Generate ->
> publish DNSKEY -> Ready -> publish DS -> Active
Not in the enforcer, it only does KSK Double Signature Rollover. In
enforcer NG, there are of course different paths.
> 2. Is it possible to set a future time in the "ready" column of
> dnsseckeys? If we do that, will the key automatically go to the
> ready state at some time after that setting, and pickup on further
> actions?
>
> We'd prefer not to rely on some magic value of PropagationDelay,
> but wish to actually check until the authoritatives pickup on a new
> DNSKEY set, and if it does, report that back to the Enforcer; when
> that happens, we would want it to wait for TTL(DNSKEY) +
> PublishSafety before we would be hinted to publish the DS to the
> parent. This wait could be done by setting the "ready" timestamp
> to the current time plus the wait time.
>
> This enables elegant / simple scripting outside the Enforcer,
> mostly limited to the details of the local setup, and leave all the
> timing complexity and generic issues inside the Enforcer. And, it'd
> be "2.0 ready" scripting, so people can easily upgrade.
>
>
> If you think this makes no sense then please let us know :)
>
>
> Thanks, -Rick _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP/pDhAAoJEA8yVCPsQCW5Hp4IAI+MYQKmm7dxDJEoTlhbBjRo
0pVDp+mDyC2a9BqMsXfN3/Hk/uLz6fAohVv2m6Hi3R8KgEH+XYXo2KR9omZggK+x
Edob4mnkV0hMd5Fhj1uanCbZWXHKbB/uogoZ57avKuOMmoZK/dXoaoeQ3YLdS49Q
eEo55mkUm3u1EYS6IOK2Kluh9uY4X/ImtiXYKURhGhrH6vJJdnmm4oSWEXdQYHi1
1TAcl7U7yd8mCXqaitLDmPWFwdlAI9DoHeQGIYYmQgLhNgz9wtgbm6m5MMcS8BT2
xdcAQfKSLry0l+iFTTGYWXIBtKJI/mgKnmRYFXeJ05B4ALocwTwze77TewoFQoo=
=XXgS
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list