[Opendnssec-user] KSK in state READY is used for signing?

Petr Spacek pspacek at redhat.com
Fri Jun 13 11:52:55 UTC 2014

Hello list,

I'm working on proof-of-concept integration between OpenDNSSEC enforcer and 

Currently, aim of the project is to prove that it can be integrated (using 
OpenDNSSECv1) and replace current hacky integration later when OpenDNSSECv2 
with pluggable database backends is available.

As it was noted in the previous thread "enforcer hooks", all the necessary 
information should be in XML files in /var/opendnssec/signconf/ directory.

However, I'm surprised that KSK has tag <KSK /> even if it is in state READY 
but not active yet:

$ ods-ksmutil key list
Zone:                           Keytype:      State:    Date of next transition:
test                            ZSK           active    2014-06-13 17:01:49
test                            KSK           ready     waiting for ds-seen

$ cat /var/opendnssec/signconf/test.xml
				<KSK />
				<Publish />

I would expect that <KSK /> flag appears only after ds-seen command, i.e. when 
the key reaches ACTIVE state.

It is intentional or is it a bug?

Thank you for answers and you time!

Petr Spacek  @  Red Hat

More information about the Opendnssec-user mailing list