Is there some detailed documentation regarding the enhanced KSK rollover functionality introduced in version 1.1 ? Looked for it but was not able to find it.
I was experimenting with automatic/semi-automatic KSK rollover and have some doubts :- After step 6) below, what should be the action performed by the DSSubmit command ? - If ds-seen is issued for K3 with --no-retire, both K2 and K3 get into active state - If ds-seen is issued for K3 without --no-retire, K3 becomes active and K2 is retired Both the above situations are probably not correct. And if we do not issue ds-seen for K3 at all, no rollover occurs when K2's lifetime comes to an end. Regards, Anirban 1) K1 publish K2 dssub Zone:K1 2) K1 ready K2 dssub Zone:K1 => DSSubmit cmd fired by Enforcer with K1,K2 [Send K1,K2 DS records to parent registry Wait issue ds-seen cmd on K1 -> makes K1 active issue ds-seen cmd on K2 -> moves K2 to dspublish] 3) K1 active K2 dspublish Zone:K1 4) K1 active K2 dsready Zone:K1 ..... ..... 5) K1 active K2 keypublish K3 publish Zone: K1,K2,K3 6) K1 retire K2 active K3 ready K4 ds-sub Zone: K1,K2,K3 [Rollover has occurred] DSSubmit cmd fired by Enforcer with K1,K2,K3,K4 [ Send K2,K3 DS records to parent registry what to do here ?....] _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
