Automatic Key Management

Tony Finch dot at
Mon Sep 18 13:10:41 UTC 2017

Mark Elkins <mje at> wrote:
> On my side, I can 'import' the KSK from the properly signed zone,
> Generate the DS record and EPP it up to the Registry. That all works
> fine, currently with the push of one (web) button. Will change/add this
> to something RESTful. Then, for full automation (KSK Rollover's) - I'd
> need dnssec-keymgr to call an external script when its time to trigger
> some sort of "Sync" action.

Sounds nice! Yes, there's definitely a missing hook or two in
dnssec-keymgr: as you say, it needs to be able to call a script to update
the parent, and also, it is crucial that it checks that the parent has
actually deployed the new DS records because that's often asynchronous,
sometimes with long delays. Any KSK roll must stop at the DS update point
until the update has been confirmed, otherwise you have a footgun.

In its current state I don't think dnssec-keymgr is safe for KSK rolls
unless you wrap it in lots of protective scripting.

> Didn't spot anything to auto-generate CDS records although BIND 9.11 is
> apparently capable.

This is still a work in progress.

dnssec-settime has -P sync and -D sync options to specify when CDS and
CDNSKEY records are added and removed. CDS/CDNSKEY publication is
implemented by named's built-in signer but not by dnssec-signzone.

dnssec-keymgr does not yet know about -P sync or -D sync, as its man page

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Bailey: South 4 or 5, increasing 6 at times. Moderate. Rain. Moderate or good,
occasionally poor.

More information about the bind-users mailing list