dnssec-keymgr: Plans and usage?

Tony Finch dot at dotat.at
Mon Jun 27 14:10:12 UTC 2016

bind-users at arminpech.de <bind-users at arminpech.de> wrote:
> I would like to handle KSK updates of second level domains using that
> tool (option -k applies policy only on KSKs). And especially I'm looking
> for an interface to trigger updates of DS records.
> The call on dnssec-settime may could be wrapped using the -s option of
> dnssec-keymgr to send a DS update via the registrar to the parent on
> publications or removals of DNSKEYs from the zone.
> But are there any other concepts or thoughts like supporting hooks for
> different phases in key rollovers?

I would like dnssec-settime to be able to record when DS records should
change - not for use by BIND's signing tools, but for use by my own (or
3rd party) registration API clients.

Then dnssec-keymgr could set these times according to the rollover policy,
and invoke the DS update client when appropriate. It should also use
dnssec-checkds to verify the API call worked.

(I think I have said something like that before, so my apologies if I am
being a bore...)

My registration API clients only deal with updating DNS delegations, they
aren't aiming at full EPP functionality. The model is roughly like nsdiff:
you give it a set of DS, NS, and glue records which are what the
delegation should look like, and it makes the necessary changes. So it's
naturally idempotent.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Humber, Thames: Westerly 4 or 5, becoming variable 3 or less. Slight,
occasionally moderate. Rain at first in east, othewrwise fair. Good,
occasionally moderate.

More information about the bind-users mailing list