[dns-operations] Graphical timelines for DNSSEC operations

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Dec 18 09:56:56 UTC 2013

On 12/13/2013 04:10 PM, Emmanuel Thierry wrote:
> Hello,
> Le 13 déc. 2013 à 15:43, Klaus Darilion a écrit :
>> On 13.12.2013 15:21, Emmanuel Thierry wrote:
>>> Hello (First time posting on this ML)
>>> After several months of waiting, i'm testing DNSSEC deployment
>>> with some on my domains, using opendnssec software. However, some
>>> principles still are hard to envision for dummies, especially
>>> time schedules.
>>> As an example, RFC 6781 shows a very clear timeline on section
>>> about signature validity. But it miss it for any other
>>> operation (KSK or ZSK rollover, DS publication in the parent
>>> zone, ...). Concretely, it implies that system administrators who
>>> are not DNSSEC experts may have a lot trouble to understand what
>>> exactly mean each configuration parameters in softwares stick
>>> really tightly to RFC 6781 such as opendnssec. In consequence,
>>> DNSSEC configuration looks like black magic that will work
>>> (because software is made to do so) but we don't know why... In
>>> my very specific case, i don't understand which of my parameters
>>> makes the KSK to take one day to be considered as "published"
>>> when my zones TTL are set to 3600.
>> Maybe you have configured a long "propagation delay". See
>> https://wiki.opendnssec.org/display/DOCS/kasp.xml
> Indeed, it worked when i reduced the PropagationDelay field from the
> Zone block (it was the most logical candidate).
>>> Does material exists to explicit graphically (in an ideal way)
>>> each specific key and DNSSEC records life cycle, in the same
>>> manner of section ?
>> Have you checked: 
>> https://wiki.opendnssec.org/display/DOCS/Key+Rollovers and 
>> http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-03

To be clear, the enforcer logic in OpenDNSSEC is based on this IETF draft.

> Lot clearer ! I think any system administrator deploying
> DNSSEC-enabled authoritative servers should have it ! ;) However, i

I agree, time to move this forward.

> still wonder how, for instance, the PropagationDelay field from the
> Parent block is used. The zone were automatically marked "active"
> when i set it ds-seen. I would have expected OpenDNSSEC to wait for
> PropagationDelay to mark it active according to the timeline you
> refer to (PropagationDelay == "Dreg" ?). Anyway, we are a bit
> switching to OpenDNSSEC internals.

When you run ds-seen, this means that you have seen the DS for that key
at the parent name servers. So when you run that command, you are at
step 5, Tact. This is the only step that has not been fully automated
yet, and we didn't want to rely solely on the configured parameter.

Best regards,

Matthijs Mekking

> Best regards Emmanuel Thierry
> _______________________________________________ dns-operations
> mailing list dns-operations at lists.dns-oarc.net 
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs
> mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list