Ask for automated KSK roll with DS checking

Matthijs Mekking matthijs at
Thu Apr 15 06:56:44 UTC 2021

On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
> On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
>> Does anyone have an automated KSK roll process, that checks for the DS
>> record at the parent, that they can share?
>> As far as I can tell, the automated signing in BIND will roll the KSK if I
>> set the timing in the policy file, but it won't check the DS record, so it
>> will happily break DNSSEC if some other process does not update the DS
>> record at the right time.  That's too big a risk for me, the process needs
>> to check the DS record before completing the KSK roll.  Surely someone has
>> done this.  I would rather not reinvent the wheel.  But I have searched and
>> not found anything yet.
> As I understand it, the way it works now is that the actual KSK rollover won't occur until you execute `rndc dnssec -checkds ...` [1].

That is correct.

> I'm hopeful that named will fully automate this check at some point soon.

It is on the roadmap:

- Matthijs

> [1] <>

More information about the bind-users mailing list