Discussion:
[Opendnssec-user] Timing/triggers for ODS2 Enforcer's <DelegationSignerSubmitCommand> & <DelegationSignerRetractCommand> ?
PGNet Dev
2017-01-20 13:24:27 UTC
Permalink
In ODS 2.1.x, I'm working on full DS-record automation using APIs for different registrars.

Within conf.xml, the two options for triggering scripts are

<DelegationSignerSubmitCommand>
<DelegationSignerRetractCommand>

What are the specific prerequisites & timing for these to be called?

Reading

https://www.opendnssec.org/documentation/using-opendnssec/

"Configure the <DelegationSignerSubmitCommand> if you want to have a program/script receiving the new KSK during a key rollover. This will make it possible to create a fully automatic KSK rollover, where OpenDNSSEC feed your program/script on stdin with the current set of DNSKEYs that we want to have in the parent as DS RRs. There are two examples available: an eppclient and a simple mail script. Remember that the ods-ksmutil key ds-seen must be given in order to complete the rollover. This should only be done when the new DS RRs are available on the parents public nameservers."

it's unclear.

Is ODS enforcer polling for a specific trigger to fire each script?

Or do we need to add polling of some sort in the scripts themselves?
PGNet Dev
2017-01-27 19:29:51 UTC
Permalink
I see others on other threads are asking re: timing/triggers for 1.4.

Lets try this again for 2.x ...
Post by PGNet Dev
In ODS 2.1.x, I'm working on full DS-record automation using APIs for different registrars.
Within conf.xml, the two options for triggering scripts are
<DelegationSignerSubmitCommand>
<DelegationSignerRetractCommand>
What are the specific prerequisites & timing for these to be called?
Reading
https://www.opendnssec.org/documentation/using-opendnssec/
"Configure the <DelegationSignerSubmitCommand> if you want to have a program/script receiving the new KSK during a key rollover. This will make it possible to create a fully automatic KSK rollover, where OpenDNSSEC feed your program/script on stdin with the current set of DNSKEYs that we want to have in the parent as DS RRs. There are two examples available: an eppclient and a simple mail script. Remember that the ods-ksmutil key ds-seen must be given in order to complete the rollover. This should only be done when the new DS RRs are available on the parents public nameservers."
it's unclear.
Is ODS enforcer polling for a specific trigger to fire each script?
Or do we need to add polling of some sort in the scripts themselves?
Yuri Schaeffer
2017-02-01 08:23:20 UTC
Permalink
Post by PGNet Dev
Reading
https://www.opendnssec.org/documentation/using-opendnssec/
"Configure the <DelegationSignerSubmitCommand> if you want to have a
program/script receiving the new KSK during a key rollover. This will
make it possible to create a fully automatic KSK rollover, where
OpenDNSSEC feed your program/script on stdin with the current set of
DNSKEYs that we want to have in the parent as DS RRs. There are two
examples available: an eppclient and a simple mail script. Remember
that the ods-ksmutil key ds-seen must be given in order to complete
the rollover. This should only be done when the new DS RRs are
available on the parents public nameservers."
it's unclear.
Is ODS enforcer polling for a specific trigger to fire each script?
It decides based on its internal state. When a KSK is ready to be
submitted to the parent the <DelegationSignerSubmitCommand> script
will run. After that it waits for an external signal (ds-ssen). Given
by either the operator of a script.
Post by PGNet Dev
Or do we need to add polling of some sort in the scripts themselves?
OpenDNSSEC does not poll the parent nameservers to see that DS
availability. So if you fully want to automate a rollover you will need
to do some polling yourself before you call ds-ssen.

On our roadmap are plans for adding more hooks to OpenDNSSEC to aid this
process. But that won't be short term though.

//Yuri
Havard Eidnes
2017-02-01 14:45:52 UTC
Permalink
Post by Yuri Schaeffer
Post by PGNet Dev
Is ODS enforcer polling for a specific trigger to fire each script?
It decides based on its internal state. When a KSK is ready to be
submitted to the parent the <DelegationSignerSubmitCommand> script
will run. After that it waits for an external signal (ds-ssen). Given
by either the operator of a script.
Post by PGNet Dev
Or do we need to add polling of some sort in the scripts themselves?
OpenDNSSEC does not poll the parent nameservers to see that DS
availability. So if you fully want to automate a rollover you will need
to do some polling yourself before you call ds-ssen.
Indeed. To do this checking with my OpenDNSSEC 1.4.x installation, I
use the attached script as a component in the setup, and do this polling
via cron for zones where the status says "waiting for ds-seen". It must
be run by a user which can do "ods-ksmutil key export".

Regards,

- HÃ¥vard
pgndev
2017-02-02 00:02:25 UTC
Permalink
Post by Yuri Schaeffer
Post by PGNet Dev
Is ODS enforcer polling for a specific trigger to fire each script?
It decides based on its internal state. When a KSK is ready to be
submitted to the parent the <DelegationSignerSubmitCommand> script
will run. After that it waits for an external signal (ds-ssen). Given
by either the operator of a script.
Post by PGNet Dev
Or do we need to add polling of some sort in the scripts themselves?
OpenDNSSEC does not poll the parent nameservers to see that DS
availability. So if you fully want to automate a rollover you will need
to do some polling yourself before you call ds-ssen.
That's helpful.

And what are the trigger conditions / different usage for

<DelegationSignerRetractCommand>

?

Is it triggered automatically based on internal state as well? Which?

Or does it fire on a manually executed cmd line trigger?

Understood that 'more automation' will come later -- clearer
documentation of the current state of triggers & timing, and general
usage in an automated process, even if/as it's DIY for now, would be
helpful.

Loading...