hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
Matthijs Mekking
matthijs at isc.org
Tue Jun 15 14:50:45 UTC 2021
On 15-06-2021 16:32, PGNet Dev wrote:
> On 6/10/21 8:38 AM, Tony Finch wrote:
>> PGNet Dev <pgnet.dev at gmail.com> wrote:
>>>
>>> Has anyone here on-list figured out how to hook bind's internal signing
>>> process to *trigger* and external script to exec those API pushes?
>>
>> I have not, and I also want to be able to do this, and I also want
>> scripting hooks for whenever any keys change so that I can stash them
>> somewhere safer.
>
>>
>> Tony.
>
> fyi, @
>
> automation of DS Record submit to registrar/parent, integrated with
> 'new' kasp/dnssec-policy support in bind
> https://gitlab.isc.org/isc-projects/bind9/-/issues/1890
>
> the current feedback is " ... we think the best way is that the user
> scripts this by them self ... "
A brief summary. Folks that are interested in the reasons why can read
up and discuss here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/1890#note_220217
> and follows with " ... it is more likely that the CDS/CDNSKEY polling
> will be more common than pushing DS updates. A couple of TLDs have
> implemented this already and it looks like there is some movement on
> this topic in the Registrar world."
>
> Of course inaction by TLDs & Registrars has been years-long ...
You may be interested in the multi-signer project, that is now actively
pushing for this:
https://github.com/DNSSEC-Provisioning/Multi-signer/
Cheers,
Matthijs
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list