[Opendnssec-user] Unexpected DS state transition UNSUBMITTED to SUBMITTED (v 2.1.5)

Philip Paeps philip at trouble.is
Mon Jun 28 10:08:47 UTC 2021 

On 2021-06-26 04:25:22 (+0800), Wessels, Duane via Opendnssec-user 
wrote:

> Hi, I'm doing some tests with OpenDNSSEC.  My version is 2.1.5, from 
> Ubuntu packages.
>
> I see the output of 'ods-enforcer key list -d' go from:
>
> aaa.example.com                 KSK      publish   ds-unsubmitted      
>      128   13         0248f9eeaf8c305491a2989f74683c8b SoftHSM     
> 33278
>
> to:
>
> aaa.example.com                 KSK      ready     waiting for ds-seen 
>      128   13         0248f9eeaf8c305491a2989f74683c8b SoftHSM     
> 33278
>
> Based on what I read at the Key States Explained page of the wiki, I 
> expected to see an intermediate SUBMIT state where I would then tell 
> the enforcer that it has been submitted (but not yet seen).
>
> My syslog has this:
>
> Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: 
> aaa.example.com
> Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] please submit DS 
> with keytag 33278 for zone aaa.example.com
> Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] performing signconf 
> for zone aaa.example.com
> Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] signconf done for 
> zone aaa.example.com, notifying signer
> Jun 25 19:57:52 ods ods-signerd: [signconf] zone aaa.example.com 
> signconf: RESIGN[PT1M] REFRESH[PT1H] VALIDITY[P1D] DENIAL[P1D] 
> KEYSET[PT0S] JITTER[PT30M] OFFSET[PT10M] NSEC[50] DNSKEYTTL[PT5M] 
> SOATTL[PT5M] MINIMUM[PT5M] SERIAL[unixtime]
> Jun 25 19:57:52 ods ods-signerd: [STATS] aaa.example.com 1624651072 
> RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 
> reused=7 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
> Jun 25 19:57:52 ods ods-enforcerd: [keystate_ds_x_cmd] No 
> "DelegationSignersubmitCommand" configured.
> Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: 
> aaa.example.com
> Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] No changes to 
> signconf file required for zone aaa.example.com

As I understand it, the SUBMIT state begins when 
DelegationSignersubmitCommand starts executing and ends when it 
finishes.

Because you have no DelegationSignersubmitCommand configured, the state 
change is invisible to you.

I don't believe there is a way to make a key stay in the ds-unsubmitted 
state.  There is no practical use for such a state though, since nothing 
will happen to the key until ds-seen is reached.  So you may as well 
hang out in waiting for ds-seen.

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises

More information about the Opendnssec-user mailing list