Skip to content

Force set DS state after 'rndc dnssec -checkds'

Matthijs Mekking requested to merge 3822-rndc-dnssec-checkds-force-ds-state into main

Set the DS state after issuing 'rndc dnssec -checkds'. If the DS was published, it should go in RUMOURED state, regardless whether it is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN) would also allow for easy shoot in the foot situations.

Closes #3822 (closed)

Edited by Mark Andrews

Merge request reports