hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
PGNet Dev
pgnet.dev at gmail.com
Wed Jun 16 15:04:30 UTC 2021
@jpmens was kind enough to share the original basis for the simple perl script referenced above,
which to recollection was 'mainly an example taken from the Net::DNS documentation.'
Logging of CDS/CDNSKEY generation for workflow https://gitlab.isc.org/isc-projects/bind9/-/issues/1748
--------------------------------
#!/usr/bin/perl -w
use strict;
use Net::DNS::Nameserver;
sub notification {
my ($qname, $qclass, $qtype, $peer, $packet) = @_;
# We are being notified (NOTIFY) for domain $qname.
print "WOW. Got NOTIFY for $qname!\n";
# Submit this notification to your monitoring system. In
# the case of Nagios, you could update a database table
# from which it later reads the result, or you can
# implement a passive notification, etc.
return ('NOERROR', [], [], [],
{ aa => 1, opcode => 'NS_NOTIFY_OP'});
}
sub handler {
my ($qname, $qclass, $qtype, $peer) = @_;
my (@ans, @auth, @add);
return ('SERVFAIL', \@ans, \@auth, \@add);
}
my $ns = Net::DNS::Nameserver->new(
LocalAddr => '127.0.0.2',
LocalPort => 53,
ReplyHandler => \&handler, # Unused, but needs defining
NotifyHandler => \¬ification,
Verbose => 0,
Debug => 0,
) || die("Can't create nameserver object: $!");
$ns->main_loop;
--------------------------------
He also mentioned
Logging of CDS/CDNSKEY generation for workflow
https://gitlab.isc.org/isc-projects/bind9/-/issues/1748
which requests:
Would it be possible to log CDS/CDNSKEY generation in such a way as that a "simple" workflow can be implemented in order to create tooling which reacts on the log and performs a dynamic update on a parent zone.
Whenever a CDS/CDNSKEY is published in a child zone, BIND could create a log record indicating for which zone this has occurred.
and appears to have been implemented (?), but not committed/released.
More information about the bind-users
mailing list