hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

PGNet Dev pgnet.dev at gmail.com
Tue Jun 15 22:34:53 UTC 2021

On 6/15/21 4:40 PM, Tony Finch wrote:
> How should named say that a key has changed? It's a multithreaded program
> so it can't fork (not without a single-threaded helper process) so maybe
> it should fire off a message to a socket that the script machinery can
> listen to. (Maybe abuse NOTIFY for the purpose?) The feedback loop can be
> closed using an rndc command.

With a NOTIFY, something like _your_ old listener

  nsnotifyd: handle DNS NOTIFY messages by running a command

gets interesting.

Don't know yet how dusty that is, or relevant to current bind 9.16+, etc. --
-- but the general 'respond immediately to a NOTIFY' sounds quite useful.

More information about the bind-users mailing list