mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-16 19:30:00 -04:00
04d8fc0143
Add a new 'rndc' command 'dnssec -checkds' that allows the user to signal named that a new DS record has been seen published in the parent, or that an existing DS record has been withdrawn from the parent. Upon the 'checkds' request, 'named' will write out the new state for the key, updating the 'DSPublish' or 'DSRemoved' timing metadata. This replaces the "parent-registration-delay" configuration option, this was unreliable because it was purely time based (if the user did not actually submit the new DS to the parent for example, this could result in an invalid DNSSEC state). Because we cannot rely on the parent registration delay for state transition, we need to replace it with a different guard. Instead, if a key wants its DS state to be moved to RUMOURED, the "DSPublish" time must be set and must not be in the future. If a key wants its DS state to be moved to UNRETENTIVE, the "DSRemoved" time must be set and must not be in the future. By default, with '-checkds' you set the time that the DS has been published or withdrawn to now, but you can set a different time with '-when'. If there is only one KSK for the zone, that key has its DS state moved to RUMOURED. If there are multiple keys for the zone, specify the right key with '-key'. |
||
|---|---|---|
| .. | ||
| include | ||
| unix | ||
| win32 | ||
| .gitignore | ||
| bind9.xsl | ||
| builtin.c | ||
| config.c | ||
| control.c | ||
| controlconf.c | ||
| fuzz.c | ||
| geoip.c | ||
| log.c | ||
| logconf.c | ||
| main.c | ||
| Makefile.am | ||
| named.conf.rst | ||
| named.rst | ||
| server.c | ||
| statschannel.c | ||
| tkeyconf.c | ||
| tsigconf.c | ||
| xsl_p.h | ||
| zoneconf.c | ||