[Opendnssec-user] Bootstrapping a new domain
C.Gielen at uvt.nl
Thu Nov 10 17:43:13 UTC 2011
I discovered that I either have a fundamental misunderstanding of how
OpenDNSSEC works or that ODS does not have a proper way of adding new zones.
When creating a new zone one has to do the following:
- add zone, create keys
- (backup keys)
- sign zone
- publish zone
- send DS to parent
However, in reality the signed zone does not appear in
/var/lib/opendnssec/signed until after the ds-seen command has been given.
This makes perfect sense for key-rollovers but not in the
bootstrap-phase. As soon as the DS is published by the parent all
validating resolvers will start to expect a signed zone. However I can't
publish the zone yet because it is waiting for the DSPUBLISH delay.
So far this has eluded me because I test all zones internally for a
while before the DS is actually sent to the parent.
Mind you, I'm only talking about the first time a zone is signed.
Am I missing something or is their indeed a gap?
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user