[Opendnssec-user] Unexpected DS state transition UNSUBMITTED to SUBMITTED (v 2.1.5)

Philip Paeps philip at trouble.is
Mon Jun 28 16:43:59 UTC 2021

On 2021-06-29 00:25:30 (+0800), Wessels, Duane wrote:
> On Jun 28, 2021, at 3:08 AM, Philip Paeps <philip at trouble.is> wrote:
>> On 2021-06-26 04:25:22 (+0800), Wessels, Duane via Opendnssec-user 
>> wrote:
>>> Based on what I read at the Key States Explained page of the wiki, I 
>>> expected to see an intermediate SUBMIT state where I would then tell 
>>> the enforcer that it has been submitted (but not yet seen).
>>> My syslog has this: [...]
>> As I understand it, the SUBMIT state begins when 
>> DelegationSignersubmitCommand starts executing and ends when it 
>> finishes.
>> Because you have no DelegationSignersubmitCommand configured, the 
>> state change is invisible to you.
>> I don't believe there is a way to make a key stay in the 
>> ds-unsubmitted state.  There is no practical use for such a state 
>> though, since nothing will happen to the key until ds-seen is 
>> reached.  So you may as well hang out in waiting for ds-seen.
> Seems like my qualms are mostly with the documentation then.  The wiki 
> page on key states says "It either waits for the user confirming the 
> upload" which isn't the case.

Yeah.  That's wrong.  As far as I can tell, it moves to SUBMITTED 
unconditionally, passing through SUBMIT, whether or not a 
DelegationSignersubmitCommand has been configured.  The practical 
outcome is the same though.  The only way to progress from SUBMITTED is 
to send a ds-seen command.

> It is not clear when one should execute 'ods-enforcer key ds-seen'.  
> Is that as soon as the DS record first appears in the parent zone?  Or 
> should one wait an additional DS TTL so it expires from caches?  I 
> suspect it is the former, but in either case it is not clear what is 
> the point of specifying the parent DS TTL in the policy.

The former, indeed: when the key is available at *all authoritative 
servers* for the parent zone.  The "available for everyone" is important 

I suspect the need to specify the parent DS TTL in the policy relates to 
the transition from rumoured to omnipresent.  Somebody familiar with the 
code would have to confirm this.  I'm afraid to look too closely. :-)


Philip Paeps
Senior Reality Engineer
Alternative Enterprises
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210629/7d91f2f6/attachment.htm>

More information about the Opendnssec-user mailing list