Ask for automated KSK roll with DS checking

Bob Harold rharolde at
Wed Apr 14 20:00:38 UTC 2021

Does anyone have an automated KSK roll process, that checks for the DS
record at the parent, that they can share?

As far as I can tell, the automated signing in BIND will roll the KSK if I
set the timing in the policy file, but it won't check the DS record, so it
will happily break DNSSEC if some other process does not update the DS
record at the right time.  That's too big a risk for me, the process needs
to check the DS record before completing the KSK roll.  Surely someone has
done this.  I would rather not reinvent the wheel.  But I have searched and
not found anything yet.

Bob Harold
DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
rharolde at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list