Been playing with OpenDNSSEC a bit - and I was wondering whether there should not be triggers that the signing Engine can call when events happen. For example - OpenDNSSEC can call RNDC when needed..
One could continuously examine the logfile .... but thats ugly. On Thu, 2013-02-21 at 18:02 +0000, Rick van Rein wrote: > Hi Casper, > > Cool :) > > > I've written a little script that checks if a DS is available from DNS and, > > if so, automatically issues the ds-seen command. It's a replacement for > > manually checking the DS and calling "ods-ksmutil key ds-seen ....". > > We're rolling out a similar thing at SURFnet, which could be an alternative > to this script, at least for some users. Our thing automates all stages from > DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up). > > I'll write a posting about that on our blog https://dnssec.surfnet.nl/ > in a while. After my head stops spinning from flue :-S > > > Warning 1: This may be a stupid idea. It could be argued that human > > validation of this step is a good thing. Do not use this script if you do > > not completely understand what it does. > > The real harm would have been done then I think? If you want to check > manually, it ought to be done when rolling your DNSKEY and/or DS uphill > (to the parent). When it starts rolling down on the other side of the > hilltop it's probably too late to stop? > > > Warning 2: This script has not been properly tested. Do not use it in a > > production environment. > > Ah, you're looking for $\alpha$ testers ;-) > > > I'm looking for opinions on if this is a useful solution or accident > > waiting to happen. > > Did you like the interface of OpenDNSSEC? I didn't like that it refused > to silently ignore repeated ds-seen due to a script that somehow missed > a previous ds-seen. > > > Cheers, > -Rick > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ [email protected] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
