[Opendnssec-user] key export in ods 2.0.1

Casper Gielen C.Gielen at uvt.nl
Fri Oct 20 14:16:43 UTC 2017

Op 10-08-16 om 17:38 schreef Yuri Schaeffer:
> On 10-08-16 15:13, Fred.Zwarts wrote:
>> Thanks, this helps a bit.
>> But "dead", "unknown" and "mixed" still result in "unknown keystate,
>> Error parsing arguments" when used to export keys.
> Ah yes, I was reading the wrong piece of code. There is some more code
> that applies a filter on the input arguments. That code accepts.
> generate, publish, ready, active, retire, revoke

sorry for the late reply but I feel this part has yet to be fully

I'm trying to convert my tools to ODS2 but I ran into problems due to a
lack of understanding of the process. There is a lot of information on
https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained but it
is cryptic at best*. The usefull information seems to be on the second
half of the page.
Nowhere is explained how all the state machines go together, what is
expected from the user, or what the relation is to the states of the DS
at the parent, or wether or not backup is a state.

I consider myself an experienced ODS1 user and I'm not sure I fully get
it. This mail started out as a request for help but I solved my
particular problem while writing it. I post it anyway to validate that I
got it right and perhaps to help the next person that needs it.

Here is my description of the typical workflow from the point of view of
a user.

state: A new key has been generated and has been added to the zone.
next:  Automatic.

state: Key is not ready to be published.
next:  Issue 'backup prepare'

state: Database is ready to make a backup.
next:  Make a backup and issue 'backup commit'.

state: Key is backed up
next:  Request to upload the DS to the parent by calling 'ds-submit'.

state: Key is being published and spread to parents' DNS-servers.
next:  Confirm that the DS is fully published by parent with 'ds-seen'.

state: Everything is ready but the new key is not actually used.
next:  Nothing, just wait until the next time the enforcer runs.

state: The key is in active use
next:  Wait or request to stop using this key by calling 'rollover'

state: Key is no longer used for new signatures
next:  Request to remove the DS from the parent by calling 'ds-retract'.

state: Key is not used at all
next:  Confirm the DS has been removed by the parent with 'ds-gone'.

The signer will issue the ds-submit and ds-retract commands on it's own.
The 'ds-seen' and 'ds-gone' commands must be invoked by the user or an
external script.


I'm using ODS 2.0.4 as provided by Debian Stretch.

* The comparison with ODS1 and the description of the four state
machines are more confusing than helpfull to new users. IMHO these state
machines are mostly irrelevant to the user and should not be the first
they read about.

Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list