hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

PGNet Dev pgnet.dev at gmail.com
Wed Jun 16 12:27:25 UTC 2021


On 6/16/21 7:04 AM, Tony Finch wrote:
> Maaaaaaybe. Bare NOTIFY can say which zone's keys have changed, but not
> what the state transition is, so it isn't what I would consider to be a
> complete solution.

Pulling the thread a bit more, Jan-Piet Mens @

  "Alert, backup, whatever on DNS NOTIFY with nsnotifyd"
   https://jpmens.net/2015/06/16/alert-on-dns-notify/

appears to refer to that same challenge,

  "This is a very welcome alternative to doing it in Perl, as I did when I wanted
   to be notified of new and changed KSK in a zone."

   -->

    "Being notified of new and changed KSK in a zone"
     https://jpmens.net/2015/03/05/being-notified-of-new-an-changed-ksk-in-the-zone/

& implements a "key-listen.pl" script that listens for & reacts to KSK changes.
 From just reading (don't see the source code?), it's triggered by the NOTIFY from NSD and subsequently polls for DNSSKEY RRSet ...

I don't yet know if what specific state transition info is carried in that _NOTIFY_, or it it's sufficient.


More information about the bind-users mailing list