hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
matthijs at isc.org
Tue Jun 15 14:50:45 UTC 2021
On 15-06-2021 16:32, PGNet Dev wrote:
> On 6/10/21 8:38 AM, Tony Finch wrote:
>> PGNet Dev <pgnet.dev at gmail.com> wrote:
>>> Has anyone here on-list figured out how to hook bind's internal signing
>>> process to *trigger* and external script to exec those API pushes?
>> I have not, and I also want to be able to do this, and I also want
>> scripting hooks for whenever any keys change so that I can stash them
>> somewhere safer.
> fyi, @
> automation of DS Record submit to registrar/parent, integrated with
> 'new' kasp/dnssec-policy support in bind
> the current feedback is " ... we think the best way is that the user
> scripts this by them self ... "
A brief summary. Folks that are interested in the reasons why can read
up and discuss here:
> and follows with " ... it is more likely that the CDS/CDNSKEY polling
> will be more common than pushing DS updates. A couple of TLDs have
> implemented this already and it looks like there is some movement on
> this topic in the Registrar world."
> Of course inaction by TLDs & Registrars has been years-long ...
You may be interested in the multi-signer project, that is now actively
pushing for this:
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users