hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

PGNet Dev pgnet.dev at gmail.com
Thu Jun 10 12:18:57 UTC 2021

DNSSEC signing using Bind 9.16.x's internal/automated key mgmt correctly 
generates PublishCDS, DSChange, DSState data for the KSK .state.

Subsequent published data correctly contains CDS/CDNSKEY data.

Most registrars are still incapable of polling for updates, and require, at 
best, API push of DS Records for promotion to TLD parent.

("We're looking into it ..." and "You should expect it by the end of year ..." 
seems to be the most common, years-long excuses ... er ... promises I've gotten).

About a year ago, I'd submitted

	"automation of DS Record submit to registrar/parent, integrated with 'new' 
kasp/dnssec-policy support in bind"

So far, no visible progress.

Before bind's current, integrated approach, I'd done some sloppy scripting with 
opendnssec, and it ended up being a fragile mess.

I can certainly can set up kludgy, async polling scripts &/or cronjobs to do the 
same with bind; It seems so 1990s :-/ Just looking for something more integrated.

Short of the registrars getting a clue anytime soon, or moving to .CZ/.CH where 
CDS/CDNSKEY polling seems uniquely doable ...

Has anyone here on-list figured out how to hook bind's internal signing process 
to *trigger* and external script to exec those API pushes?

Also, input/comment from devs here, &/or @ #1890 would be appreciated.

More information about the bind-users mailing list