Force set DS state after 'rndc dnssec -checkds' (!7423) · Merge requests · ISC Open Source Projects / BIND

Matthijs Mekking requested to merge 3822-rndc-dnssec-checkds-force-ds-state into main Jan 25, 2023

Set the DS state after issuing 'rndc dnssec -checkds'. If the DS was published, it should go in RUMOURED state, regardless whether it is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN) would also allow for easy shoot in the foot situations.

Closes #3822 (closed)

Edited Jan 27, 2023 by Mark Andrews

Force set DS state after 'rndc dnssec -checkds'

Merge request reports