hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
PGNet Dev
pgnet.dev at gmail.com
Wed Jun 16 12:27:25 UTC 2021
On 6/16/21 7:04 AM, Tony Finch wrote:
> Maaaaaaybe. Bare NOTIFY can say which zone's keys have changed, but not
> what the state transition is, so it isn't what I would consider to be a
> complete solution.
Pulling the thread a bit more, Jan-Piet Mens @
"Alert, backup, whatever on DNS NOTIFY with nsnotifyd"
https://jpmens.net/2015/06/16/alert-on-dns-notify/
appears to refer to that same challenge,
"This is a very welcome alternative to doing it in Perl, as I did when I wanted
to be notified of new and changed KSK in a zone."
-->
"Being notified of new and changed KSK in a zone"
https://jpmens.net/2015/03/05/being-notified-of-new-an-changed-ksk-in-the-zone/
& implements a "key-listen.pl" script that listens for & reacts to KSK changes.
From just reading (don't see the source code?), it's triggered by the NOTIFY from NSD and subsequently polls for DNSSKEY RRSet ...
I don't yet know if what specific state transition info is carried in that _NOTIFY_, or it it's sufficient.
More information about the bind-users
mailing list