[Opendnssec-user] Key states question
Boris Gulay
boris at boressoft.ru
Sun Sep 14 13:27:52 UTC 2025
Boris Gulay via Opendnssec-user писал(а) 14.09.2025 14:09:
> Stephane Bortzmeyer писал(а) 14.09.2025 13:15:
>> On Sun, Sep 14, 2025 at 01:05:25PM +0300,
>> Boris Gulay via Opendnssec-user
>> <opendnssec-user at lists.opendnssec.org> wrote
>> a message of 46 lines which said:
>>
>>> Zone has two keys as expected. But they have different states: ZSK is
>>> in
>>> ready state, KSK - publish. Can you please explain which states can
>>> keys
>>> have and what do thay mean? I can't change state of KSK with ds-seen
>>> or
>>> ds-submit.
>>
>> Publish means it is published in the DNS but not yet usable for a DS
>> (OpenDNSSEC waits for a TTL). It will switch to Ready by itself.
>>
>> RFC 7583 may be a good read.
>
> Super, thank you. Found key states in 3.1 of that RFC.
>
> Another question here: what are defaults for KskRollType and
> ZskRollType in opendnssec?
Answering my own question. I have no such keys in kasp.xml. I've just
checked what values are in DB (from source I know that this is
'minimize' field): POLICY_KEY_MINIMIZE_DS (KskDoubleSignature) for KSK
and POLICY_KEY_MINIMIZE_RRSIG (ZskPrePublication) for ZSK.
Then I've found where is is set in source:
https://github.com/opendnssec/opendnssec/blob/2.1/develop/enforcer/src/db/policy_key_ext.c#L355
More information about the Opendnssec-user
mailing list