Thanks, I made some scripting around this isue, I drop all DS records for that subdomain in zone file and add all new DS records.
And from this we we auto update the DS records to our TLS's where possible, where not we send an internal GPG signed mail to update the key. With kind regards, Bas -----Oorspronkelijk bericht----- Van: [email protected] [mailto:[email protected]] Namens Sebastian Castro Verzonden: zondag 31 augustus 2014 23:17 Aan: [email protected] Onderwerp: Re: [Opendnssec-user] Sub zones in opendnssec and DS keys On 30/08/14 4:09 am, Matthijs Mekking wrote: > Hi Bas, > > On 08/29/2014 02:24 PM, Bas van den Dikkenberg wrote: >> Hi all, >> >> >> >> I have 2 domain in my zone list of OpenDNSSEC, Test.domain.nl and domain.nl. >> >> >> >> Test.domain.nl has to publish his DS records to domain.nl, does >> OpenDNSSEC do this automatically ? >> >> >> >> If not can OpenDNSSEC do this automatically ? > > Unfortunately not at this moment. > >> If not is there a good workaround for this ? > > I don't know if there are users on the list who have experimented with > this, but I guess you can make use of the following element in conf.xml: > > <DelegationSignerSubmitCommand/> > > To configure the a program/script receiving the new KSK during a key > rollover. In your script, you could distinguish different executions > for domain.nl and test.domain.nl. We do, although we don't do KSK rollover automatically because we need to interact with IANA to complete the .nz rollover. Our script takes the new KSK, generates DS records, and send it by email to an internal address signed by PGP, which later is evaluated by a human and acted upon. > > I can imagine that you want to concatenate the DS to the unsigned zone > file domain.nl, issue ods-signer sign domain.nl, wait a bit to let the > change propagate to your name servers and do a ds-seen for > test.domain.nl > > Hope these hints help. > > Best regards, > Matthijs > Cheers, -- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
