[dns-operations] Graphical timelines for DNSSEC operations

Emmanuel Thierry ml at sekil.fr
Fri Dec 13 15:10:16 UTC 2013


Hello,

Le 13 déc. 2013 à 15:43, Klaus Darilion a écrit :

> On 13.12.2013 15:21, Emmanuel Thierry wrote:
>> Hello
>> (First time posting on this ML)
>> 
>> After several months of waiting, i'm testing DNSSEC deployment with some on my domains, using opendnssec software.
>> However, some principles still are hard to envision for dummies, especially time schedules.
>> 
>> As an example, RFC 6781 shows a very clear timeline on section 4.4.2.2 about signature validity. But it miss it for any other operation (KSK or ZSK rollover, DS publication in the parent zone, ...). Concretely, it implies that system administrators who are not DNSSEC experts may have a lot trouble to understand what exactly mean each configuration parameters in softwares stick really tightly to RFC 6781 such as opendnssec. In consequence, DNSSEC configuration looks like black magic that will work (because software is made to do so) but we don't know why...
>> In my very specific case, i don't understand which of my parameters makes the KSK to take one day to be considered as "published" when my zones TTL are set to 3600.
> 
> Maybe you have configured a long "propagation delay".
> See https://wiki.opendnssec.org/display/DOCS/kasp.xml

Indeed, it worked when i reduced the PropagationDelay field from the Zone block (it was the most logical candidate).


>> 
>> Does material exists to explicit graphically (in an ideal way) each specific key and DNSSEC records life cycle, in the same manner of section 4.4.2.2 ?
> 
> Have you checked:
> https://wiki.opendnssec.org/display/DOCS/Key+Rollovers and
> http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-03

Lot clearer ! I think any system administrator deploying DNSSEC-enabled authoritative servers should have it ! ;)
However, i still wonder how, for instance, the PropagationDelay field from the Parent block is used. The zone were automatically marked "active" when i set it ds-seen. I would have expected OpenDNSSEC to wait for PropagationDelay to mark it active according to the timeline you refer to (PropagationDelay == "Dreg" ?). Anyway, we are a bit switching to OpenDNSSEC internals.

Best regards
Emmanuel Thierry




More information about the dns-operations mailing list