Ask for automated KSK roll with DS checking

Tony Finch dot at
Thu Apr 15 16:44:14 UTC 2021

Matthijs Mekking <matthijs at> wrote:
> On 15-04-2021 16:35, Bob Harold wrote:
> >
> > If BIND holds both the child and parent zone, will it add the DS record
> > at the correct time?  Or do I still need to write scripts to update the
> > DS records in all my sub-zones?  And is there some signal from BIND at
> > the time the DS record should be written, or do i need to calculate the
> > right time?
> Currently you still have to write scripts to update DS records in all
> your parent zones.
> The CDS/CDNSKEY records are published in the child zones that indicate
> the DS should be published, so I would script against that.
> Then when the DS is seen in the parent, call the rndc dnssec -checkds
> published/withdrawn command.

dnssec-cds can tell you what the parental DS record(s) should be. It
can maintain a dsset file for each child zone that you can $INCLUDE in the
parent. It's fairly bare so it needs to be wrapped with a script that does
the necessary queries and updates.

I don't know if the dnssec-policy stuff includes timing parameters or
checks to protect against parental publication delays; if not then the
wrapper script will have to keep track of time or poll the parent servers
or something.

