> Reading > > https://www.opendnssec.org/documentation/using-opendnssec/ > > "Configure the <DelegationSignerSubmitCommand> if you want to have a > program/script receiving the new KSK during a key rollover. This will > make it possible to create a fully automatic KSK rollover, where > OpenDNSSEC feed your program/script on stdin with the current set of > DNSKEYs that we want to have in the parent as DS RRs. There are two > examples available: an eppclient and a simple mail script. Remember > that the ods-ksmutil key ds-seen must be given in order to complete > the rollover. This should only be done when the new DS RRs are > available on the parents public nameservers." > > it's unclear. > > Is ODS enforcer polling for a specific trigger to fire each script?
It decides based on its internal state. When a KSK is ready to be submitted to the parent the <DelegationSignerSubmitCommand> script will run. After that it waits for an external signal (ds-ssen). Given by either the operator of a script. > Or do we need to add polling of some sort in the scripts themselves? OpenDNSSEC does not poll the parent nameservers to see that DS availability. So if you fully want to automate a rollover you will need to do some polling yourself before you call ds-ssen. On our roadmap are plans for adding more hooks to OpenDNSSEC to aid this process. But that won't be short term though. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
