Ask for automated KSK roll with DS checking

Bob Harold rharolde at umich.edu
Thu Apr 15 17:54:55 UTC 2021


On Thu, Apr 15, 2021 at 12:44 PM Tony Finch <dot at dotat.at> wrote:

> Matthijs Mekking <matthijs at isc.org> wrote:
> > On 15-04-2021 16:35, Bob Harold wrote:
> > >
> > > If BIND holds both the child and parent zone, will it add the DS record
> > > at the correct time?  Or do I still need to write scripts to update the
> > > DS records in all my sub-zones?  And is there some signal from BIND at
> > > the time the DS record should be written, or do i need to calculate the
> > > right time?
> >
> > Currently you still have to write scripts to update DS records in all
> > your parent zones.
> >
> > The CDS/CDNSKEY records are published in the child zones that indicate
> > the DS should be published, so I would script against that.
> >
> > Then when the DS is seen in the parent, call the rndc dnssec -checkds
> > published/withdrawn command.
>
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
>
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
> becoming rough later in west. Fair. Good.


Seeing that I still need some scripting, does anyone already have scripts
that work?

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210415/1eae90f0/attachment.htm>


More information about the bind-users mailing list