Boris Gulay via Opendnssec-user писал(а) 14.09.2025 14:09:
Stephane Bortzmeyer писал(а) 14.09.2025 13:15:
On Sun, Sep 14, 2025 at 01:05:25PM +0300,
Boris Gulay via Opendnssec-user
<opendnssec-user@lists.opendnssec.org> wrote
a message of 46 lines which said:
Zone has two keys as expected. But they have different states: ZSK is
in
ready state, KSK - publish. Can you please explain which states can
keys
have and what do thay mean? I can't change state of KSK with ds-seen
or
ds-submit.
Publish means it is published in the DNS but not yet usable for a DS
(OpenDNSSEC waits for a TTL). It will switch to Ready by itself.
RFC 7583 may be a good read.
Super, thank you. Found key states in 3.1 of that RFC.
Another question here: what are defaults for KskRollType and
ZskRollType in opendnssec?
Answering my own question. I have no such keys in kasp.xml. I've just
checked what values are in DB (from source I know that this is
'minimize' field): POLICY_KEY_MINIMIZE_DS (KskDoubleSignature) for KSK
and POLICY_KEY_MINIMIZE_RRSIG (ZskPrePublication) for ZSK.
Then I've found where is is set in source:
https://github.com/opendnssec/opendnssec/blob/2.1/develop/enforcer/src/db/policy_key_ext.c#L355
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
