[Opendnssec-user] What's difference between usage of ODS2x DelegationSignerSubmitCommand & DelegationSignerRetractCommand ?

PGNet Dev pgnet.dev at gmail.com
Mon Feb 20 16:35:31 UTC 2017 

On 02/20/2017 07:14 AM, Yuri Schaeffer wrote:
>> What are the trigger conditions / different usage for
>>      <DelegationSignerRetractCommand>
>> vs
>>      <DelegationSignerRetractCommand>
>> Are they both triggered automatically based on internal key state?
>> Which, specifically?  And what's relative timing?
> These are fired automatically. Based in the internal state. specifically:
> 
> When a new key is introduced and the enforcer deems it ready for

...

This is an immensely helpful write up.

https://tools.ietf.org/html/rfc7583 is too, but obviously doesn't 
address the ODS_specific bits.

It'd be quite useful to include it, or some similar variant, in the ODS 
2 online docs.


> You should see a 'waiting for ds-seen' in your keylist. The user is
> supposed to issue a 'key ds-seen' when the DS record of this particular
> key is visible to the world.

IIUC there is no current "wait for ds-seen" mechanism or script hook in 
ODS 2.1.x, is there?  I.e., needs to be done externally (cron job, etc)?

> Then, at some point this key is to be removed.

Ok.  So, kasp-schedule driven ...


>> And what's relative timing?
> This depends on the rollover strategy, kasp parameters, TLLs on
> different records (including negative), signer parameters, whether it is
> an algorithm rollover and how fast the user interacts. I can't give you
> a straight answer to this. It is a hard problem for which the enforcer
> is designed to solve.

Similar to rfc7583,

    3. Key Rollover Timelines ..........................................8
       3.1. Key States .................................................8
       3.2. ZSK Rollover Timelines ....................................10
            3.2.1. Pre-Publication Method .............................10
            3.2.2. Double-Signature Method ............................12
       3.3. KSK Rollover Timelines ....................................14
            3.3.1. Double-KSK Method ..................................14
            3.3.2. Double-DS Method ...................................17
            3.3.3. Double-RRset Method ................................20
            3.3.4. Interaction with Configured Trust Anchors ..........22
            3.3.5. Introduction of First Keys .........................24

it'd be useful to evolve the ODS docs to descriptively parallel some 
subset of those strategies, identifying recommendations/best-practices 
best suited for ODS2's enforcerd design.

Thanks!

More information about the Opendnssec-user mailing list