Automatic Key Management

Tony Finch dot at
Thu Sep 14 14:55:43 UTC 2017

Mark Elkins <mje at> wrote:

> With BIND version 9.12  coming out - I'm wondering if I've missed any
> announcements on some form of Automatic (DNS)Key Management?
> Something that will create and retire keys according to some sort of policy.

See dnssec-keymgr (new in 9.11) which will automate ZSK management.

KSKs are still difficult. I don't know of any nice software for pushing
delegation updates through registrars. It's a fairly tedious business
because in many cases you'll need to talk to several different parents so
you have to write the same code in several different ways. Even the good
APIs (Gandi, RIPE) have murky corners (EPP itself is a movable feast), and
sometimes you may be stuck without an API and reduced to scripting
PhantomJS or something similarly horrible.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Portland, Plymouth: Northwest 5 or 6, occasionally 7 at first, then decreasing
4 at times. Very rough at first in southwest Plymouth, otherwise moderate or
rough becoming slight or moderate. Thundery showers. Good.

More information about the bind-users mailing list