Hi, I'm continuing on my path to transition to OpenDNSSEC 2.x, and naturally the question of the documentation for the Key and DS states come up.
This was brought up already by Casper Gielen in https://lists.opendnssec.org/pipermail/opendnssec-user/2017-October/004117.html and I agree with much of what he says. The documentation about "Key states explained" at https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125365 could do with some improvements. There is also https://wiki.opendnssec.org/display/OpenDNSSEC/Changes+to+key+states+and+rollovers which documents the differences between OpenDNSSEC 1.x and 2.x when it comes to key states. I have a couple of specific questions: 1) OpenDNSSEC 2.x introduces two new key operations, "ds-submit" and "ds-retract". If I've understood correctly (the docs don't say this explicitly), these are mostly "safety measures", that the operator can indicate to OpenDNSSEC that he will submit the DS record for a given key, or will de-register the DS record for a given key, and will cause OpenDNSSEC to respectively not take the key out of use or start re-using it. Casper's message seems to indicate that OpenDNSSEC do these operations itself, I find that puzzling. What is correct? There is no follow-up to his message which clarifies this. 2) The 4-state diagram describing "hidden", "rumoured", "omnipresent" and "unretentive" as key states doesn't really explain sufficiently whether the individual state transitions are purely timer-based, or whether operator or "external tool" action is required. Some of the text seems to imply that e.g. the transition from "rumoured" to "omnipresent" is purely timer-based. Is that precise and correct? 3) It seems like "dead" keys (both "Pub" and "Act" are 0, and other states mostly "hidden" or "NA" -- what's the exact condition?) are no longer automatically removed, but removal / cleanup of dead keys needs to be done via "ods-enforcer key purge [--zone <zone>]". True? This will probably not be the last set of questions in this area... Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
