[Opendnssec-user] What's difference between usage of ODS2x DelegationSignerSubmitCommand & DelegationSignerRetractCommand ?
Yuri Schaeffer
yuri at nlnetlabs.nl
Mon Feb 20 15:14:45 UTC 2017
> What are the trigger conditions / different usage for
> <DelegationSignerRetractCommand>
> vs
> <DelegationSignerRetractCommand>
> Are they both triggered automatically based on internal key state?
> Which, specifically? And what's relative timing?
These are fired automatically. Based in the internal state. specifically:
When a new key is introduced and the enforcer deems it ready for
inclusion in the DS RRset at the parent the
DelegationSignerSubmitCommand will fire.
Each KSK has a DS state which is one of
typedef enum key_data_ds_at_parent {
KEY_DATA_DS_AT_PARENT_INVALID = -1,
KEY_DATA_DS_AT_PARENT_UNSUBMITTED = 0,
KEY_DATA_DS_AT_PARENT_SUBMIT = 1,
KEY_DATA_DS_AT_PARENT_SUBMITTED = 2,
KEY_DATA_DS_AT_PARENT_SEEN = 3,
KEY_DATA_DS_AT_PARENT_RETRACT = 4,
KEY_DATA_DS_AT_PARENT_RETRACTED = 5
} key_data_ds_at_parent_t;
A new KSK will start at KEY_DATA_DS_AT_PARENT_UNSUBMITTED. Then at some
point it is ready to be submitted and will move to
KEY_DATA_DS_AT_PARENT_SUBMIT. If no DelegationSignerSubmitCommand is
specified in the conf it will stay there until the user issues a 'key
ds-submit'. If it is specified the script will fire. Either way the
state will then go to KEY_DATA_DS_AT_PARENT_SUBMITTED and stay there.
You should see a 'waiting for ds-seen' in your keylist. The user is
supposed to issue a 'key ds-seen' when the DS record of this particular
key is visible to the world.
Then, at some point this key is to be removed. The process is similar
and the key will transition to KEY_DATA_DS_AT_PARENT_RETRACT. Then after
a manual 'key ds-retract' or an automatic DelegationSignerRetractCommand
the state will be KEY_DATA_DS_AT_PARENT_RETRACTED. Now you should see
'waiting for ds-gone' until the user does a 'key ds-gone', at which
point the state will be KEY_DATA_DS_AT_PARENT_UNSUBMITTED again.
> And what's relative timing?
This depends on the rollover strategy, kasp parameters, TLLs on
different records (including negative), signer parameters, whether it is
an algorithm rollover and how fast the user interacts. I can't give you
a straight answer to this. It is a hard problem for which the enforcer
is designed to solve.
Regards,
Yuri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170220/de7a59b3/attachment.bin>
More information about the Opendnssec-user
mailing list