bind-us...@arminpech.de <bind-us...@arminpech.de> wrote: > > I would like to handle KSK updates of second level domains using that > tool (option -k applies policy only on KSKs). And especially I'm looking > for an interface to trigger updates of DS records. > > The call on dnssec-settime may could be wrapped using the -s option of > dnssec-keymgr to send a DS update via the registrar to the parent on > publications or removals of DNSKEYs from the zone. > > But are there any other concepts or thoughts like supporting hooks for > different phases in key rollovers?
I would like dnssec-settime to be able to record when DS records should change - not for use by BIND's signing tools, but for use by my own (or 3rd party) registration API clients. Then dnssec-keymgr could set these times according to the rollover policy, and invoke the DS update client when appropriate. It should also use dnssec-checkds to verify the API call worked. (I think I have said something like that before, so my apologies if I am being a bore...) My registration API clients only deal with updating DNS delegations, they aren't aiming at full EPP functionality. The model is roughly like nsdiff: you give it a set of DS, NS, and glue records which are what the delegation should look like, and it makes the necessary changes. So it's naturally idempotent. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Humber, Thames: Westerly 4 or 5, becoming variable 3 or less. Slight, occasionally moderate. Rain at first in east, othewrwise fair. Good, occasionally moderate. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
