Re: [Opendnssec-user] Unexpected DS state transition UNSUBMITTED to SUBMITTED (v 2.1.5)

Mon, 28 Jun 2021 03:09:17 -0700

On 2021-06-26 04:25:22 (+0800), Wessels, Duane via Opendnssec-user wrote:
Hi, I'm doing some tests with OpenDNSSEC. My version is 2.1.5, from Ubuntu packages. 

I see the output of 'ods-enforcer key list -d' go from:


aaa.example.com                 KSK      publish   ds-unsubmitted      
     128   13         0248f9eeaf8c305491a2989f74683c8b SoftHSM     
33278


to:


aaa.example.com                 KSK      ready     waiting for ds-seen 
     128   13         0248f9eeaf8c305491a2989f74683c8b SoftHSM     
33278



Based on what I read at the Key States Explained page of the wiki, I 
expected to see an intermediate SUBMIT state where I would then tell 
the enforcer that it has been submitted (but not yet seen).


My syslog has this:


Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: 
aaa.example.com
Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] please submit DS 
with keytag 33278 for zone aaa.example.com
Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] performing signconf 
for zone aaa.example.com
Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] signconf done for 
zone aaa.example.com, notifying signer
Jun 25 19:57:52 ods ods-signerd: [signconf] zone aaa.example.com 
signconf: RESIGN[PT1M] REFRESH[PT1H] VALIDITY[P1D] DENIAL[P1D] 
KEYSET[PT0S] JITTER[PT30M] OFFSET[PT10M] NSEC[50] DNSKEYTTL[PT5M] 
SOATTL[PT5M] MINIMUM[PT5M] SERIAL[unixtime]
Jun 25 19:57:52 ods ods-signerd: [STATS] aaa.example.com 1624651072 
RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 
reused=7 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
Jun 25 19:57:52 ods ods-enforcerd: [keystate_ds_x_cmd] No 
"DelegationSignersubmitCommand" configured.
Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: 
aaa.example.com
Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] No changes to 
signconf file required for zone aaa.example.com



As I understand it, the SUBMIT state begins when 
DelegationSignersubmitCommand starts executing and ends when it 
finishes.



Because you have no DelegationSignersubmitCommand configured, the state 
change is invisible to you.



I don't believe there is a way to make a key stay in the ds-unsubmitted 
state.  There is no practical use for such a state though, since nothing 
will happen to the key until ds-seen is reached.  So you may as well 
hang out in waiting for ds-seen.


Philip

--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user






















					Reply via email to