Op 10-08-16 om 17:38 schreef Yuri Schaeffer: > > > On 10-08-16 15:13, Fred.Zwarts wrote: >> Thanks, this helps a bit. >> But "dead", "unknown" and "mixed" still result in "unknown keystate, >> Error parsing arguments" when used to export keys. > > Ah yes, I was reading the wrong piece of code. There is some more code > that applies a filter on the input arguments. That code accepts. > > generate, publish, ready, active, retire, revoke
Hi, sorry for the late reply but I feel this part has yet to be fully documented. I'm trying to convert my tools to ODS2 but I ran into problems due to a lack of understanding of the process. There is a lot of information on https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained but it is cryptic at best*. The usefull information seems to be on the second half of the page. Nowhere is explained how all the state machines go together, what is expected from the user, or what the relation is to the states of the DS at the parent, or wether or not backup is a state. I consider myself an experienced ODS1 user and I'm not sure I fully get it. This mail started out as a request for help but I solved my particular problem while writing it. I post it anyway to validate that I got it right and perhaps to help the next person that needs it. Here is my description of the typical workflow from the point of view of a user. ==== Generate ~= KEY_DATA_DS_AT_PARENT_UNSUBMITTED state: A new key has been generated and has been added to the zone. next: Automatic. Publish.1 state: Key is not ready to be published. next: Issue 'backup prepare' Publish.2 state: Database is ready to make a backup. next: Make a backup and issue 'backup commit'. Publish.3 ~= KEY_DATA_DS_AT_PARENT_SUBMIT state: Key is backed up next: Request to upload the DS to the parent by calling 'ds-submit'. Ready.1 ~= KEY_DATA_DS_AT_PARENT_SUBMITTED state: Key is being published and spread to parents' DNS-servers. next: Confirm that the DS is fully published by parent with 'ds-seen'. Ready.2 ~= KEY_DATA_DS_AT_PARENT_SEEN. state: Everything is ready but the new key is not actually used. next: Nothing, just wait until the next time the enforcer runs. Active state: The key is in active use next: Wait or request to stop using this key by calling 'rollover' Retire ~= KEY_DATA_DS_AT_PARENT_RETRACT state: Key is no longer used for new signatures next: Request to remove the DS from the parent by calling 'ds-retract'. Revoke ~= KEY_DATA_DS_AT_PARENT_RETRACTED state: Key is not used at all next: Confirm the DS has been removed by the parent with 'ds-gone'. The signer will issue the ds-submit and ds-retract commands on it's own. The 'ds-seen' and 'ds-gone' commands must be invoked by the user or an external script. ===== I'm using ODS 2.0.4 as provided by Debian Stretch. * The comparison with ODS1 and the description of the four state machines are more confusing than helpfull to new users. IMHO these state machines are mostly irrelevant to the user and should not be the first they read about. -- Casper Gielen <cgie...@uvt.nl> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
