[Opendnssec-user] Key and DS states

Havard Eidnes he at uninett.no
Tue Feb 11 07:50:18 UTC 2020


Hi,

I'm continuing on my path to transition to OpenDNSSEC 2.x, and
naturally the question of the documentation for the Key and DS
states come up.

This was brought up already by Casper Gielen in

  https://lists.opendnssec.org/pipermail/opendnssec-user/2017-October/004117.html

and I agree with much of what he says.

The documentation about "Key states explained" at

  https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125365

could do with some improvements.

There is also

  https://wiki.opendnssec.org/display/OpenDNSSEC/Changes+to+key+states+and+rollovers

which documents the differences between OpenDNSSEC 1.x and 2.x
when it comes to key states.


I have a couple of specific questions:

1) OpenDNSSEC 2.x introduces two new key operations, "ds-submit" and
   "ds-retract".  If I've understood correctly (the docs don't say
   this explicitly), these are mostly "safety measures", that the
   operator can indicate to OpenDNSSEC that he will submit the DS
   record for a given key, or will de-register the DS record for a
   given key, and will cause OpenDNSSEC to respectively not take the
   key out of use or start re-using it.

   Casper's message seems to indicate that OpenDNSSEC do these
   operations itself, I find that puzzling.  What is correct?  There
   is no follow-up to his message which clarifies this. 

2) The 4-state diagram describing "hidden", "rumoured", "omnipresent"
   and "unretentive" as key states doesn't really explain sufficiently
   whether the individual state transitions are purely timer-based, or
   whether operator or "external tool" action is required.  Some of
   the text seems to imply that e.g. the transition from "rumoured" to
   "omnipresent" is purely timer-based.  Is that precise and correct?

3) It seems like "dead" keys (both "Pub" and "Act" are 0, and other
   states mostly "hidden" or "NA" -- what's the exact condition?) are
   no longer automatically removed, but removal / cleanup of dead keys
   needs to be done via "ods-enforcer key purge [--zone <zone>]".
   True?

This will probably not be the last set of questions in this area...

Regards,

- Håvard


More information about the Opendnssec-user mailing list