[Opendnssec-user] Bootstrapping a new domain

Casper Gielen C.Gielen at uvt.nl
Thu Nov 10 17:43:13 UTC 2011

I discovered that I either have a fundamental misunderstanding of how 
OpenDNSSEC works or that ODS does not have a proper way of adding new zones.

When creating a new zone one has to do the following:
- add zone, create keys
- (backup keys)
- sign zone
- publish zone
- send DS to parent

However, in reality the signed zone does not appear in 
/var/lib/opendnssec/signed until after the ds-seen command has been given.

This makes perfect sense for key-rollovers but not in the 
bootstrap-phase. As soon as the DS is published by the parent all 
validating resolvers will start to expect a signed zone. However I can't 
publish the zone yet because it is waiting for the DSPUBLISH delay.

So far this has eluded me because I test all zones internally for a 
while before the DS is actually sent to the parent.

Mind you, I'm only talking about the first time a zone is signed.
Am I missing something or is their indeed a gap?
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list