On 6/16/21 7:04 AM, Tony Finch wrote:
Maaaaaaybe. Bare NOTIFY can say which zone's keys have changed, but not what the state transition is, so it isn't what I would consider to be a complete solution.
Pulling the thread a bit more, Jan-Piet Mens @ "Alert, backup, whatever on DNS NOTIFY with nsnotifyd" https://jpmens.net/2015/06/16/alert-on-dns-notify/ appears to refer to that same challenge, "This is a very welcome alternative to doing it in Perl, as I did when I wanted to be notified of new and changed KSK in a zone." --> "Being notified of new and changed KSK in a zone" https://jpmens.net/2015/03/05/being-notified-of-new-an-changed-ksk-in-the-zone/ & implements a "key-listen.pl" script that listens for & reacts to KSK changes. From just reading (don't see the source code?), it's triggered by the NOTIFY from NSD and subsequently polls for DNSSKEY RRSet ... I don't yet know if what specific state transition info is carried in that _NOTIFY_, or it it's sufficient. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
