[Opendnssec-user] ods-enforcer key ds-submit & ds-retract?

Havard Eidnes he at uninett.no
Thu Mar 25 18:19:24 UTC 2021 

Hi,

the man page for ods-enforcer contains among other things:

       key ds-submit --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-submit to the enforcer for a KSK.

       key ds-seen --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-seen to the enforcer for a KSK.

       key ds-seen --all
              Issue a ds-seen for all ready (for ds-seen) KSKs. This command
              indicates to OpenDNSSEC that a submitted DS record has appeared
              in the parent zone, and thereby trigger the completion of a KSK
              rollover.

       key ds-retract --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-retract to the enforcer for a KSK.

       key ds-gone --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-gone to the enforcer for a KSK.

The documentation for ds-submit, ds-retract and, for that matter,
ds-gone could stand with an improvement to explain a little better
what they actually do, along the lines of the documentation for "key
ds-seen --all".

Am I correct in assuming that "ds-submit" and "ds-retract" will simply
ask the enforcer to run the <DelegationSignerSubmitCommand> and
<DelegationSignerRetractCommand>, and is not signaling "I just tried
to submit / retract the DS record (via other means)"?  And that those
operations are not needed to be performed by the operator (or support
scripts) in normal operation, as long as DS records are added or
retracted via other means?  (Yes, I'm adapting my support scripts
which were used with OpenDNSSEC 1.4.x.)

Yes, yes, I know that OpenDNSSEC v2 operates with all these rather
cleverly and incomprehensibly named states for the various aspects of
a key, but as far as I'm conerned, a KSK goes from "publish" (newborn
KSK) to "ready", "active", "retire" and then to "dead"(?), and with
this context, the question I'm asking is which of these transitions
needs a nudge from the operator (or support scripts)?  My current best
guess is "ready -> active" (done via ds-seen, confirming that all the
parent zone publishing name servers now publish the new DS record) and
"retire -> dead" (done via ds-gone, confirming that the associated DS
record is now no longer published by any of the parent zone name
servers)?

If I get some confirmation or clarification, I'll prepare a suggested
change to the man page.

Regards,

- Håvard

More information about the Opendnssec-user mailing list