[Opendnssec-user] KSK in state READY is used for signing?
Petr Spacek
pspacek at redhat.com
Fri Jun 13 11:52:55 UTC 2014
Hello list,
I'm working on proof-of-concept integration between OpenDNSSEC enforcer and
FreeIPA.
Currently, aim of the project is to prove that it can be integrated (using
OpenDNSSECv1) and replace current hacky integration later when OpenDNSSECv2
with pluggable database backends is available.
As it was noted in the previous thread "enforcer hooks", all the necessary
information should be in XML files in /var/opendnssec/signconf/ directory.
However, I'm surprised that KSK has tag <KSK /> even if it is in state READY
but not active yet:
$ ods-ksmutil key list
Keys:
Zone: Keytype: State: Date of next transition:
test ZSK active 2014-06-13 17:01:49
test KSK ready waiting for ds-seen
$ cat /var/opendnssec/signconf/test.xml
<Keys>
<Key>
<Flags>257</Flags>
<KSK />
<Publish />
</Key>
I would expect that <KSK /> flag appears only after ds-seen command, i.e. when
the key reaches ACTIVE state.
It is intentional or is it a bug?
Thank you for answers and you time!
--
Petr Spacek @ Red Hat
More information about the Opendnssec-user
mailing list