Hello, I have the same "problem" than Antti :
I have 3 test zones and each has an active KSK and a dsready KSK. dsready KSK is labelled "When required". If I look in the zonefile, I cannot see this DNSKEY. The only KSK I can find is the active one. What this dsready state should mean? In ODS 1.0, this state didn't exist. Before the ready state, there was a published state. Thanks On Mon, May 31, 2010 at 01:40:49PM +0300, Antti Ristimäki wrote: > > Hi, > > On Fri, 2010-05-28 at 13:02 +0300, Antti Ristimäki wrote: > > On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote > > > We have 2 situations to consider, "emergency" rollover and scheduled > > > rollover. > > > > > > The standby key is not used for scheduled rollover, a new key will be pre- > > > published for that. > > > > > > The standby key will come into use if a rollover command is issued out-of- > > > sequence. The thinking here is that the submission of the DS to the > > > parent is > > > likely to be the slower step in the process, so we can get this out of > > > the way > > > early on before we need to act fast. > > > > OK, this is probably a good idea. But is the scheduled rollover now > > meant to be initiated only automatically or how does ods-enforcer > > differentiate a scheduled rollover from an emergency one, if they are > > both initiated with the same "ods-ksmutil key rollover..." command? > > > > In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to > > introduce a new KSK in the DNSKEY RRset rather than using the standby > > KSK. However, this may be due to the fact that my standby KSK is still > > in "dspublish" state...I guess the standby KSK will enter "dsready" or > > similar after the standby DS has propagated to caches? > > It seems that if your standby KSK is in "DSREADY" state and you type > "ods-ksmutil key rollover -z <zone> --keytype KSK", OpenDNSSEC starts > signing the DNSKEY RRset with the standby KSK, in addition to the active > KSK, as expected. However, the standby KSK doesn't appear in the DNSKEY > RRset immediately, which I find weird. That is, the DNSKEY RRset is > signed with a KSK that is not even present in the zone DNSKEY RRset!? > > With regards to my previous mail, it would be very nice indeed to be > able to trigger the "normal" (i.e. non-emergency) rollover manually, for > example for testing purposes etc. Now it doesn't seem to be possible. > > Regards, > > Antti > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -- Pierre Lebrech _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
