Hi, > So DelegationSignerSubmitCommand gets DNSKEY, calculates DS, submits DS, > schedules process to wait for DS actually in parent, waits a wee bit > longer and then marks ds-seen. Sounds good.
The general procedure that we follow for parenting goes through a number of states, for each of which we store the DNSKEY set, and when differences exist between one state and the next we try to make the required changes. The states and their updating constraints are: 0signer The signer DNSKEY set 1author Dito, after it has become visible on all authoritative name servers 2mature Dito, after the TTL on the DNSKEYs has passed 3parent The DNSKEY set supported in the parent’s DS records 4public Dito, now published on all authoritatives 5dshold Dito, after the TTL on the DS has expired 6dsseen Dito, but now reported to OpenDNSSEC through ds-seen We’ve got this implemented at SURFnet for the subdomains of .nl and our own domains. The procedure has proven to be rock-solid — the only problem we’ve had with it was that authoratitatives that were down blocked the wait-for-all-authoritatives tests :) -Rick_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
