Skip to content

Migrating to dnssec-policy, DS is set to rumoured

Another problem is that now all KSK from dnssec-mgr are marked with DS rumoured. I think it would make sense when importing keys from the old system to consider they are already in use.

named looks at the key timing metadata when it first creates a state file. If the SyncPublish time is in the past it sets it to rumoured, and if it is way in the past (DS TTL + parent propagation delay) it sets it to omnipresent.

Apparently it does not work in all cases, all of these zone's SyncPublish were way way in the past:

Kddns.duckcorp.org.+010+35289.key:; SyncPublish: 20200828053548 (Fri Aug 28 07:35:48 2020)
Kduckcorp.org.+010+53511.key:; SyncPublish: 20200826184211 (Wed Aug 26 20:42:11 2020)
K_kage.duckcorp.org.+010+01026.key:; SyncPublish: 20200827101015 (Thu Aug 27 12:10:15 2020)
K_kage.milkypond.org.+010+04086.key:; SyncPublish: 20200404160447 (Sat Apr  4 18:04:47 2020)
Kmilkypond.org.+010+64539.key:; SyncPublish: 20200826184217 (Wed Aug 26 20:42:17 2020)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information