[Opendnssec-user] Unexpected DS state transition UNSUBMITTED to SUBMITTED (v 2.1.5)

Mon Jun 28 16:25:30 UTC 2021

> On Jun 28, 2021, at 3:08 AM, Philip Paeps <philip at trouble.is> wrote:
> 
> On 2021-06-26 04:25:22 (+0800), Wessels, Duane via Opendnssec-user wrote:
> 
>> Hi, I'm doing some tests with OpenDNSSEC.  My version is 2.1.5, from Ubuntu packages.
>> 
>> I see the output of 'ods-enforcer key list -d' go from:
>> 
>> aaa.example.com                 KSK      publish   ds-unsubmitted           128   13         0248f9eeaf8c305491a2989f74683c8b SoftHSM     33278
>> 
>> to:
>> 
>> aaa.example.com                 KSK      ready     waiting for ds-seen      128   13         0248f9eeaf8c305491a2989f74683c8b SoftHSM     33278
>> 
>> Based on what I read at the Key States Explained page of the wiki, I expected to see an intermediate SUBMIT state where I would then tell the enforcer that it has been submitted (but not yet seen).
>> 
>> My syslog has this:
>> 
>> Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: aaa.example.com
>> Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] please submit DS with keytag 33278 for zone aaa.example.com
>> Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] performing signconf for zone aaa.example.com
>> Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] signconf done for zone aaa.example.com, notifying signer
>> Jun 25 19:57:52 ods ods-signerd: [signconf] zone aaa.example.com signconf: RESIGN[PT1M] REFRESH[PT1H] VALIDITY[P1D] DENIAL[P1D] KEYSET[PT0S] JITTER[PT30M] OFFSET[PT10M] NSEC[50] DNSKEYTTL[PT5M] SOATTL[PT5M] MINIMUM[PT5M] SERIAL[unixtime]
>> Jun 25 19:57:52 ods ods-signerd: [STATS] aaa.example.com 1624651072 RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 reused=7 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
>> Jun 25 19:57:52 ods ods-enforcerd: [keystate_ds_x_cmd] No "DelegationSignersubmitCommand" configured.
>> Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: aaa.example.com
>> Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] No changes to signconf file required for zone aaa.example.com
> 
> As I understand it, the SUBMIT state begins when DelegationSignersubmitCommand starts executing and ends when it finishes.
> 
> Because you have no DelegationSignersubmitCommand configured, the state change is invisible to you.
> 
> I don't believe there is a way to make a key stay in the ds-unsubmitted state.  There is no practical use for such a state though, since nothing will happen to the key until ds-seen is reached.  So you may as well hang out in waiting for ds-seen.

Thanks Philip and Håvard for the responses.

Seems like my qualms are mostly with the documentation then.  The wiki page on key states says "It either waits for the user confirming the upload" which isn't the case.

It is not clear when one should execute 'ods-enforcer key ds-seen'.  Is that as soon as the DS record first appears in the parent zone?  Or should one wait an additional DS TTL so it expires from caches?  I suspect it is the former, but in either case it is not clear what is the point of specifying the parent DS TTL in the policy.

DW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4208 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210628/3dfc600e/attachment.bin>