[Opendnssec-user] Unexpected DS state transition UNSUBMITTED to SUBMITTED (v 2.1.5)

Havard Eidnes he at uninett.no
Tue Jun 29 09:11:14 UTC 2021

> It is not clear when one should execute 'ods-enforcer key ds-seen'.
> Is that as soon as the DS record first appears in the parent zone?

In my setup I use a small perl script which checks that all the
publishing name servers for the parent zone respond with the newly
published DS record before signaling "key ds-seen".

I also think that the <PublishSafety> timer setting plays into when
OpenDNSSEC considers doing the next state transition.  The
documentation is, though, a little vague on this point; it says:

   <PublishSafety> and <RetireSafety> are the publish and retire
   safety margins for the keys. These intervals are safety margins
   added to calculated timing values to give some extra time to cover
   unforeseen events, e.g. in case external events prevent zone

It's not entirely clearly expressed at which time or at which event
these times are added, and what OpenDNSSEC thinks it is free to do
when this timer expires.

> Or should one wait an additional DS TTL so it expires from caches?
> I suspect it is the former, but in either case it is not clear what
> is the point of specifying the parent DS TTL in the policy.

You're probably talking about the <TTL> setting in the <DS> section of
the <Parent> section?  Typically, the parent zone admin sets the TTL
for the DS records it publishes based on its own policy.  Apparently,
OpenDNSSEC uses this timer to calculate the timing of its own actions.
But again, the documentation is a little vague -- when talking about
the SOA timers "used by KASP in its calculations" is all it says.

This part of the config glosses over the fact that there may be more
than one parent zone for the zones under OpenDNSSEC's handling, and
whether the timers configured in this section should be the largest in
the collection of parent zones.

Best regards,

- Håvard

More information about the Opendnssec-user mailing list