Re: [Opendnssec-user] Unexpected DS state transition UNSUBMITTED to SUBMITTED (v 2.1.5)

Mon, 28 Jun 2021 09:51:19 -0700 

On 2021-06-29 00:25:30 (+0800), Wessels, Duane wrote:

On Jun 28, 2021, at 3:08 AM, Philip Paeps <phi...@trouble.is> wrote:
On 2021-06-26 04:25:22 (+0800), Wessels, Duane via Opendnssec-user wrote:
Based on what I read at the Key States Explained page of the wiki, I expected to see an intermediate SUBMIT state where I would then tell the enforcer that it has been submitted (but not yet seen). 

My syslog has this: [...]



As I understand it, the SUBMIT state begins when 
DelegationSignersubmitCommand starts executing and ends when it 
finishes.



Because you have no DelegationSignersubmitCommand configured, the 
state change is invisible to you.



I don't believe there is a way to make a key stay in the 
ds-unsubmitted state.  There is no practical use for such a state 
though, since nothing will happen to the key until ds-seen is 
reached.  So you may as well hang out in waiting for ds-seen.



Seems like my qualms are mostly with the documentation then.  The wiki 
page on key states says "It either waits for the user confirming the 
upload" which isn't the case.



Yeah.  That's wrong.  As far as I can tell, it moves to SUBMITTED 
unconditionally, passing through SUBMIT, whether or not a 
DelegationSignersubmitCommand has been configured.  The practical 
outcome is the same though.  The only way to progress from SUBMITTED is 
to send a ds-seen command.



It is not clear when one should execute 'ods-enforcer key ds-seen'.  
Is that as soon as the DS record first appears in the parent zone?  Or 
should one wait an additional DS TTL so it expires from caches?  I 
suspect it is the former, but in either case it is not clear what is 
the point of specifying the parent DS TTL in the policy.



The former, indeed: when the key is available at *all authoritative 
servers* for the parent zone.  The "available for everyone" is important 
here.



I suspect the need to specify the parent DS TTL in the policy relates to 
the transition from rumoured to omnipresent.  Somebody familiar with the 
code would have to confirm this.  I'm afraid to look too closely. :-)


Philip

--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user






















					Reply via email to