> On Jun 28, 2021, at 3:08 AM, Philip Paeps <phi...@trouble.is> wrote: > > On 2021-06-26 04:25:22 (+0800), Wessels, Duane via Opendnssec-user wrote: > >> Hi, I'm doing some tests with OpenDNSSEC. My version is 2.1.5, from Ubuntu >> packages. >> >> I see the output of 'ods-enforcer key list -d' go from: >> >> aaa.example.com KSK publish ds-unsubmitted >> 128 13 0248f9eeaf8c305491a2989f74683c8b SoftHSM 33278 >> >> to: >> >> aaa.example.com KSK ready waiting for ds-seen >> 128 13 0248f9eeaf8c305491a2989f74683c8b SoftHSM 33278 >> >> Based on what I read at the Key States Explained page of the wiki, I >> expected to see an intermediate SUBMIT state where I would then tell the >> enforcer that it has been submitted (but not yet seen). >> >> My syslog has this: >> >> Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: aaa.example.com >> Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] please submit DS with >> keytag 33278 for zone aaa.example.com >> Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] performing signconf for >> zone aaa.example.com >> Jun 25 19:57:52 ods ods-enforcerd: [signconf_cmd] signconf done for zone >> aaa.example.com, notifying signer >> Jun 25 19:57:52 ods ods-signerd: [signconf] zone aaa.example.com signconf: >> RESIGN[PT1M] REFRESH[PT1H] VALIDITY[P1D] DENIAL[P1D] KEYSET[PT0S] >> JITTER[PT30M] OFFSET[PT10M] NSEC[50] DNSKEYTTL[PT5M] SOATTL[PT5M] >> MINIMUM[PT5M] SERIAL[unixtime] >> Jun 25 19:57:52 ods ods-signerd: [STATS] aaa.example.com 1624651072 >> RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 reused=7 >> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] >> Jun 25 19:57:52 ods ods-enforcerd: [keystate_ds_x_cmd] No >> "DelegationSignersubmitCommand" configured. >> Jun 25 19:57:52 ods ods-enforcerd: [enforcer] update zone: aaa.example.com >> Jun 25 19:57:52 ods ods-enforcerd: [enforce_task] No changes to signconf >> file required for zone aaa.example.com > > As I understand it, the SUBMIT state begins when > DelegationSignersubmitCommand starts executing and ends when it finishes. > > Because you have no DelegationSignersubmitCommand configured, the state > change is invisible to you. > > I don't believe there is a way to make a key stay in the ds-unsubmitted > state. There is no practical use for such a state though, since nothing will > happen to the key until ds-seen is reached. So you may as well hang out in > waiting for ds-seen.
Thanks Philip and HÃ¥vard for the responses. Seems like my qualms are mostly with the documentation then. The wiki page on key states says "It either waits for the user confirming the upload" which isn't the case. It is not clear when one should execute 'ods-enforcer key ds-seen'. Is that as soon as the DS record first appears in the parent zone? Or should one wait an additional DS TTL so it expires from caches? I suspect it is the former, but in either case it is not clear what is the point of specifying the parent DS TTL in the policy. DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
