[Opendnssec-user] Timing/triggers for ODS2 Enforcer's <DelegationSignerSubmitCommand> & <DelegationSignerRetractCommand> ?

Yuri Schaeffer yuri at nlnetlabs.nl
Wed Feb 1 08:23:20 UTC 2017


> Reading
> 
> https://www.opendnssec.org/documentation/using-opendnssec/
> 
> "Configure the <DelegationSignerSubmitCommand> if you want to have a
> program/script receiving the new KSK during a key rollover. This will
> make it possible to create a fully automatic KSK rollover, where
> OpenDNSSEC feed your program/script on stdin with the current set of
> DNSKEYs that we want to have in the parent as DS RRs. There are two
> examples available: an eppclient and a simple mail script. Remember
> that the ods-ksmutil key ds-seen must be given in order to complete
> the rollover. This should only be done when the new DS RRs are
> available on the parents public nameservers."
> 
> it's unclear.
> 
> Is ODS enforcer polling for a specific trigger to fire each script?

It decides based on its internal state. When a KSK is ready to be
submitted to the parent the <DelegationSignerSubmitCommand> script
will run. After that it waits for an external signal (ds-ssen). Given
by either the operator of a script.

> Or do we need to add polling of some sort in the scripts themselves? 

OpenDNSSEC does not poll the parent nameservers to see that DS
availability. So if you fully want to automate a rollover you will need
to do some polling yourself before you call ds-ssen.

On our roadmap are plans for adding more hooks to OpenDNSSEC to aid this
process. But that won't be short term though.

//Yuri


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170201/83405a6d/attachment.bin>


More information about the Opendnssec-user mailing list