[Opendnssec-user] Pre-publish DS records?

Rick van Rein rick at openfortress.nl
Fri Feb 13 11:43:27 UTC 2015


> So DelegationSignerSubmitCommand gets DNSKEY, calculates DS, submits DS,
> schedules process to wait for DS actually in parent, waits a wee bit
> longer and then marks ds-seen. Sounds good.

The general procedure that we follow for parenting goes through a number of states, for each of which we store the DNSKEY set, and when differences exist between one state and the next we try to make the required changes.  The states and their updating constraints are:

0signer	The signer DNSKEY set
1author	Dito, after it has become visible on all authoritative name servers
2mature	Dito, after the TTL on the DNSKEYs has passed
3parent	The DNSKEY set supported in the parent’s DS records
4public	Dito, now published on all authoritatives
5dshold	Dito, after the TTL on the DS has expired
6dsseen	Dito, but now reported to OpenDNSSEC through ds-seen

We’ve got this implemented at SURFnet for the subdomains of .nl and our own domains.  The procedure has proven to be rock-solid — the only problem we’ve had with it was that authoratitatives that were down blocked the wait-for-all-authoritatives tests :)


More information about the Opendnssec-user mailing list