Path: csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!2.eu.feeder.erje.net!feeder.erje.net!feeds.news.ox.ac.uk!news.ox.ac.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail From: Mark Andrews Newsgroups: comp.protocols.dns.bind Subject: Re: automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind? Date: Wed, 27 May 2020 09:50:32 +1000 Lines: 66 Approved: bind-users@lists.isc.org Message-ID: References: <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> <00A9E019-5C44-4FEE-8706-35AC8F4E7655@isc.org> NNTP-Posting-Host: lists.isc.org Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\)) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1590537038 27879 149.20.1.60 (26 May 2020 23:50:38 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bind-users@lists.isc.org To: pgnet.dev@gmail.com Return-Path: X-Original-To: bind-users@lists.isc.org Delivered-To: bind-users@lists.isc.org In-Reply-To: <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> X-Mailer: Apple Mail (2.3445.9.5) X-BeenThere: bind-users@lists.isc.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: BIND Users Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <00A9E019-5C44-4FEE-8706-35AC8F4E7655@isc.org> X-Mailman-Original-References: <035aafab-7d58-12fa-7607-1f3634271fd3@gmail.com> Xref: csiph.com comp.protocols.dns.bind:15783 This is where we need to get the registrars to follow standards. They = are written so everyone doesn=E2=80=99t have to cobble together ad-hoc solutions. = Hourly scans of all the DNSSEC delegations by the registrars would do. Personally I prefer push solutions but I couldn=E2=80=99t get the IETF = to agree. https://tools.ietf.org/html/draft-andrews-dnsop-update-parent-zones-04 Mark > On 27 May 2020, at 01:56, PGNet Dev wrote: >=20 > i'm migrating/implementing the new `dnssec-policy` usage & KASP = workflow in my bind 9.16.3. >=20 > the new policy does a nice job of streamlining the signing/key mgmt. >=20 > after key generation/rotation, the 'last step' is submitting = new/changed DS Records to the relevant registrar >=20 > i'd like to automate the process of submitting generated DS Records to = the registrar/parent using a capable registrar's DNSSEC API. >=20 > as i understand, there is neither any mechanism in Bind for automating = the DS Record submit, nor is there > an external hook mechanism to external scripts that can handle the = task. >=20 > offline, it's been suggested to me that with the current version of = bind, a 'best' approach would be to write a simple script that checks = for the existence of the CDS/CDNSKEY RRset in each signed zone. >=20 > then, when a new record is added, trigger a submission of the DS to = the parent. and, similarly, when a record is removed, trigger a = withdrawal of the DS. >=20 > rather than re-inventing the wheel ... i'm guessing i'm not the only = one who'd like to automate this. >=20 >=20 >=20 > has anyone here done this effectively already, with a script/solution = that can be shared? >=20 > are there any plans in place, or existing dev discussion, to address = this within bind itself? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to = unsubscribe from this list >=20 > ISC funds the development of this software with paid support = subscriptions. Contact us at https://www.isc.org/contact/ for more = information. >=20 >=20 > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org