botched KSK rollover
Phil Mayers
p.mayers at imperial.ac.uk
Mon Aug 21 11:18:54 UTC 2017
On 18/08/17 16:25, Carl Byington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
>> Sigh, it sure would be nice if I had a registrar with a means to
>> automate DS submission.
>
> You might want to look at gkg.net
Gandi are another excellent registrar that I can recommend. They have a
comprehensive API for all their features, including uploading DNSSEC
public keys and consequent creation of the DS record.
The API is a bit odd in that you call an RPC with the domain, alg, flags
and base64 of the pubkey (same as the dig output) as opposed to creating
the DS directly - the gandi server side validates that they key is
present and (I believe) signing and synthesizes the DS for you. But it
definitely works.
I'm hoping CDS eventually makes this all obsolete.
Regards,
Phil
More information about the bind-users
mailing list