hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

Matthijs Mekking matthijs at isc.org
Tue Jun 15 14:50:45 UTC 2021

On 15-06-2021 16:32, PGNet Dev wrote:
> On 6/10/21 8:38 AM, Tony Finch wrote:
>> PGNet Dev <pgnet.dev at gmail.com> wrote:
>>> Has anyone here on-list figured out how to hook bind's internal signing
>>> process to *trigger* and external script to exec those API pushes?
>> I have not, and I also want to be able to do this, and I also want
>> scripting hooks for whenever any keys change so that I can stash them
>> somewhere safer.
>> Tony.
> fyi, @
>   automation of DS Record submit to registrar/parent, integrated with 
> 'new' kasp/dnssec-policy support in bind
>    https://gitlab.isc.org/isc-projects/bind9/-/issues/1890
> the current feedback is " ... we think the best way is that the user 
> scripts this by them self ... "

A brief summary. Folks that are interested in the reasons why can read 
up and discuss here:


> and follows with " ... it is more likely that the CDS/CDNSKEY polling 
> will be more common than pushing DS updates. A couple of TLDs have 
> implemented this already and it looks like there is some movement on 
> this topic in the Registrar world."
> Of course inaction by TLDs & Registrars has been years-long ...

You may be interested in the multi-signer project, that is now actively 
pushing for this:




> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> information.
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list