Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15783
| Path | csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!2.eu.feeder.erje.net!feeder.erje.net!feeds.news.ox.ac.uk!news.ox.ac.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Mark Andrews <marka@isc.org> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Re: automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind? |
| Date | Wed, 27 May 2020 09:50:32 +1000 |
| Lines | 66 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.445.1590537017.942.bind-users@lists.isc.org> (permalink) |
| References | <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> <00A9E019-5C44-4FEE-8706-35AC8F4E7655@isc.org> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 (Mac OS X Mail 11.5 \(3445.9.5\)) |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | quoted-printable |
| X-Trace | usenet.stanford.edu 1590537038 27879 149.20.1.60 (26 May 2020 23:50:38 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | bind-users@lists.isc.org |
| To | pgnet.dev@gmail.com |
| Return-Path | <marka@isc.org> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| In-Reply-To | <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> |
| X-Mailer | Apple Mail (2.3445.9.5) |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <00A9E019-5C44-4FEE-8706-35AC8F4E7655@isc.org> |
| X-Mailman-Original-References | <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> |
| Xref | csiph.com comp.protocols.dns.bind:15783 |
Show key headers only | View raw
This is where we need to get the registrars to follow standards. They are written so everyone doesn’t have to cobble together ad-hoc solutions. Hourly scans of all the DNSSEC delegations by the registrars would do. Personally I prefer push solutions but I couldn’t get the IETF to agree. https://tools.ietf.org/html/draft-andrews-dnsop-update-parent-zones-04 Mark > On 27 May 2020, at 01:56, PGNet Dev <pgnet.dev@gmail.com> wrote: > > i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3. > > the new policy does a nice job of streamlining the signing/key mgmt. > > after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar > > i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API. > > as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there > an external hook mechanism to external scripts that can handle the task. > > offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone. > > then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS. > > rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this. > > > > has anyone here done this effectively already, with a script/solution that can be shared? > > are there any plans in place, or existing dev discussion, to address this within bind itself? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Back to comp.protocols.dns.bind | Previous | Next | Find similar | Unroll thread
Re: automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind? Mark Andrews <marka@isc.org> - 2020-05-27 09:50 +1000
csiph-web