hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

PGNet Dev pgnet.dev at gmail.com
Tue Jun 15 14:32:03 UTC 2021

On 6/10/21 8:38 AM, Tony Finch wrote:
> PGNet Dev <pgnet.dev at gmail.com> wrote:
>> Has anyone here on-list figured out how to hook bind's internal signing
>> process to *trigger* and external script to exec those API pushes?
> I have not, and I also want to be able to do this, and I also want
> scripting hooks for whenever any keys change so that I can stash them
> somewhere safer.

> Tony.

fyi, @

  automation of DS Record submit to registrar/parent, integrated with 'new' kasp/dnssec-policy support in bind

the current feedback is " ... we think the best way is that the user scripts this by them self ... "

and follows with " ... it is more likely that the CDS/CDNSKEY polling will be more common than pushing DS updates. A couple of TLDs have implemented this already and it looks like there is some movement on this topic in the Registrar world."

Of course inaction by TLDs & Registrars has been years-long ...

More information about the bind-users mailing list