dnssec-keymgr: Plans and usage?

bind-users at arminpech.de bind-users at arminpech.de
Sat Jun 25 14:29:41 UTC 2016


lastly I've discovered the new python tool dnssec-keymgr included in
BIND 9.11 alpha release. I'm seeking for simple tools to handle key
rollovers unattended. And the lightweight dnssec-keymgr could be the
right one.
Are there any future plans or milestones out there (expect of 'remaining
work' from the manual)?

I would like to handle KSK updates of second level domains using that
tool (option -k applies policy only on KSKs). And especially I'm looking
for an interface to trigger updates of DS records.
The call on dnssec-settime may could be wrapped using the -s option of
dnssec-keymgr to send a DS update via the registrar to the parent on
publications or removals of DNSKEYs from the zone.
But are there any other concepts or thoughts like supporting hooks for
different phases in key rollovers?


More information about the bind-users mailing list