Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15779
| Path | csiph.com!weretis.net!feeder7.news.weretis.net!news.szaf.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | PGNet Dev <pgnet.dev@gmail.com> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind? |
| Date | Tue, 26 May 2020 08:56:34 -0700 |
| Lines | 22 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.440.1590508581.942.bind-users@lists.isc.org> (permalink) |
| References | <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> |
| Reply-To | pgnet.dev@gmail.com |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1590508602 10573 149.20.1.60 (26 May 2020 15:56:42 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users@lists.isc.org |
| Return-Path | <pgnet.dev@gmail.com> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=reply-to:to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=Wt2weSYMrmsOBH8VnSm8IdaaEjaFhBNEcozJO2avlF8=; b=gsl/zsZ/jMGVTqfLUkWGWNYNkIUQBAMXwyF6yVm60H8N5FTdykEJIlBbVH3hTUcvz5 FrqWjClbGckC3R3fYaHiIZ5oByk1BRiz9h4ivPp+UKjcuB5BXTdQ9tKE9tTgGZiYxNUz s+duzSBpX/xkElBme4/yV9L4N4uuvNPvTzhH9a9nN40bK97iYjdKJC9yS8a9CHV7ag3t vO2unCNwi3ciyuoEkmowsGn298+Guy1Ry8GBLesRqycTR++BF+qXBPIkF9PPtgnuQgTM QclofvjTNS2fe+eM7od64Qdv+mVRVteU/ZgfDCOf28pcf+sLFkHnNjbxs/6Y0wtOhcf0 KAlg== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:to:from:subject:message-id:date :user-agent:mime-version:content-language:content-transfer-encoding; bh=Wt2weSYMrmsOBH8VnSm8IdaaEjaFhBNEcozJO2avlF8=; b=MBJ/klCgwo3J1mHknZTPHH44qVTNBsQ0QSdh3+wA2alJCCImnP/QSyUJvYTOtCYT6l do72VWUb622/ztptHC+WKbEQHGeqBNT+T3zogBLcazo5A7dME2kl37Y5v/7l7plSvJnR lVou1dnz3jY8cHb4nuGw5OR3KGs+6+vh5nh4T8U0FqBBRzDHnNYNdXTQEB6cmUEPRDLQ opHfLG4qSKZJ1e3UyeUEqmqQmQcM79C2H/1Q9kIyahzEvSwtWZeQSlnzRN5p+2joj3ih uyHZvtt6hI7FKovlDovqyyBwZluaB5CS1LkdZrUteW6OwACCXQGypi7cXsQG9rE2jpF1 xCZg== |
| X-Gm-Message-State | AOAM5313MAbbe0kKL8UIwAu1UnP4+X63pZJkIiVQZG5BE44ZWq9mOYVX BUf8oxxLeSUCP9KPH2A81+YB7Abp |
| X-Google-Smtp-Source | ABdhPJxrqSeN6g8Mt3yTDcHOLqxQp3g58Jz5bqKwD5BhbvXtPHGqFq0EI6x2eT/fDJDLG7ft1AL+8g== |
| X-Received | by 2002:a17:902:b718:: with SMTP id d24mr1615300pls.185.1590508596191; Tue, 26 May 2020 08:56:36 -0700 (PDT) |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 |
| Content-Language | en-US |
| X-Spam-Status | No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> |
| Xref | csiph.com comp.protocols.dns.bind:15779 |
Show key headers only | View raw
i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3. the new policy does a nice job of streamlining the signing/key mgmt. after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API. as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there an external hook mechanism to external scripts that can handle the task. offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone. then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS. rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this. has anyone here done this effectively already, with a script/solution that can be shared? are there any plans in place, or existing dev discussion, to address this within bind itself?
Back to comp.protocols.dns.bind | Previous | Next | Find similar | Unroll thread
automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind? PGNet Dev <pgnet.dev@gmail.com> - 2020-05-26 08:56 -0700
csiph-web