hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

PGNet Dev pgnet.dev at gmail.com
Wed Jun 16 12:27:25 UTC 2021

On 6/16/21 7:04 AM, Tony Finch wrote:
> Maaaaaaybe. Bare NOTIFY can say which zone's keys have changed, but not
> what the state transition is, so it isn't what I would consider to be a
> complete solution.

Pulling the thread a bit more, Jan-Piet Mens @

  "Alert, backup, whatever on DNS NOTIFY with nsnotifyd"

appears to refer to that same challenge,

  "This is a very welcome alternative to doing it in Perl, as I did when I wanted
   to be notified of new and changed KSK in a zone."


    "Being notified of new and changed KSK in a zone"

& implements a "key-listen.pl" script that listens for & reacts to KSK changes.
 From just reading (don't see the source code?), it's triggered by the NOTIFY from NSD and subsequently polls for DNSSKEY RRSet ...

I don't yet know if what specific state transition info is carried in that _NOTIFY_, or it it's sufficient.

More information about the bind-users mailing list