Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.protocols.dns.bind > #15779 > unrolled thread

automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

Back to article view | Back to comp.protocols.dns.bind

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind? PGNet Dev <pgnet.dev@gmail.com> - 2020-05-26 08:56 -0700

#15779 — automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3.

the new policy does a nice job of streamlining the signing/key mgmt.

after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar

i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API.

as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there
an external hook mechanism to external scripts that can handle the task.

offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone.

then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS.

rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this.



has anyone here done this effectively already, with a script/solution that can be shared?

are there any plans in place, or existing dev discussion, to address this within bind itself?

[toc] | [standalone]

Back to top | Article view | comp.protocols.dns.bind

csiph-web