[Opendnssec-user] ods-dsseen: automatic activation of DNSKEYS

Rick van Rein rick at openfortress.nl
Thu Feb 21 18:02:02 UTC 2013

Hi Casper,

Cool :)

> I've written a little script that checks if a DS is available from DNS and, if so, automatically issues the ds-seen command. It's a replacement for manually checking the DS and calling "ods-ksmutil key ds-seen ....".

We're rolling out a similar thing at SURFnet, which could be an alternative
to this script, at least for some users.  Our thing automates all stages from
DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up).

I'll write a posting about that on our blog https://dnssec.surfnet.nl/
in a while.  After my head stops spinning from flue :-S

> Warning 1: This may be a stupid idea. It could be argued that human validation of this step is a good thing. Do not use this script if you do not completely understand what it does.

The real harm would have been done then I think?  If you want to check
manually, it ought to be done when rolling your DNSKEY and/or DS uphill
(to the parent).  When it starts rolling down on the other side of the
hilltop it's probably too late to stop?

> Warning 2: This script has not been properly tested. Do not use it in a production environment.

Ah, you're looking for $\alpha$ testers ;-)

> I'm looking for opinions on if this is a useful solution or accident waiting to happen.

Did you like the interface of OpenDNSSEC?  I didn't like that it refused
to silently ignore repeated ds-seen due to a script that somehow missed
a previous ds-seen.


More information about the Opendnssec-user mailing list