[Opendnssec-user] Pre-publish DS records?
Rick van Rein
rick at openfortress.nl
Fri Feb 13 11:43:27 UTC 2015
Hi,
> So DelegationSignerSubmitCommand gets DNSKEY, calculates DS, submits DS,
> schedules process to wait for DS actually in parent, waits a wee bit
> longer and then marks ds-seen. Sounds good.
The general procedure that we follow for parenting goes through a number of states, for each of which we store the DNSKEY set, and when differences exist between one state and the next we try to make the required changes. The states and their updating constraints are:
0signer The signer DNSKEY set
1author Dito, after it has become visible on all authoritative name servers
2mature Dito, after the TTL on the DNSKEYs has passed
3parent The DNSKEY set supported in the parent’s DS records
4public Dito, now published on all authoritatives
5dshold Dito, after the TTL on the DS has expired
6dsseen Dito, but now reported to OpenDNSSEC through ds-seen
We’ve got this implemented at SURFnet for the subdomains of .nl and our own domains. The procedure has proven to be rock-solid — the only problem we’ve had with it was that authoratitatives that were down blocked the wait-for-all-authoritatives tests :)
-Rick
More information about the Opendnssec-user
mailing list