> It is not clear when one should execute 'ods-enforcer key ds-seen'. > Is that as soon as the DS record first appears in the parent zone?
In my setup I use a small perl script which checks that all the publishing name servers for the parent zone respond with the newly published DS record before signaling "key ds-seen". I also think that the <PublishSafety> timer setting plays into when OpenDNSSEC considers doing the next state transition. The documentation is, though, a little vague on this point; it says: <PublishSafety> and <RetireSafety> are the publish and retire safety margins for the keys. These intervals are safety margins added to calculated timing values to give some extra time to cover unforeseen events, e.g. in case external events prevent zone publication. It's not entirely clearly expressed at which time or at which event these times are added, and what OpenDNSSEC thinks it is free to do when this timer expires. > Or should one wait an additional DS TTL so it expires from caches? > I suspect it is the former, but in either case it is not clear what > is the point of specifying the parent DS TTL in the policy. You're probably talking about the <TTL> setting in the <DS> section of the <Parent> section? Typically, the parent zone admin sets the TTL for the DS records it publishes based on its own policy. Apparently, OpenDNSSEC uses this timer to calculate the timing of its own actions. But again, the documentation is a little vague -- when talking about the SOA timers "used by KASP in its calculations" is all it says. This part of the config glosses over the fact that there may be more than one parent zone for the zones under OpenDNSSEC's handling, and whether the timers configured in this section should be the largest in the collection of parent zones. Best regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
