Mark Elkins <m...@posix.co.za> wrote: > > On my side, I can 'import' the KSK from the properly signed zone, > Generate the DS record and EPP it up to the Registry. That all works > fine, currently with the push of one (web) button. Will change/add this > to something RESTful. Then, for full automation (KSK Rollover's) - I'd > need dnssec-keymgr to call an external script when its time to trigger > some sort of "Sync" action.
Sounds nice! Yes, there's definitely a missing hook or two in dnssec-keymgr: as you say, it needs to be able to call a script to update the parent, and also, it is crucial that it checks that the parent has actually deployed the new DS records because that's often asynchronous, sometimes with long delays. Any KSK roll must stop at the DS update point until the update has been confirmed, otherwise you have a footgun. In its current state I don't think dnssec-keymgr is safe for KSK rolls unless you wrap it in lots of protective scripting. > Didn't spot anything to auto-generate CDS records although BIND 9.11 is > apparently capable. This is still a work in progress. dnssec-settime has -P sync and -D sync options to specify when CDS and CDNSKEY records are added and removed. CDS/CDNSKEY publication is implemented by named's built-in signer but not by dnssec-signzone. dnssec-keymgr does not yet know about -P sync or -D sync, as its man page mentions. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Bailey: South 4 or 5, increasing 6 at times. Moderate. Rain. Moderate or good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users