Re: botched KSK rollover

2017-08-21 Thread Phil Mayers
On 21/08/2017 14:23, Matthew Pounsett wrote: On 21 August 2017 at 07:18, Phil Mayers > wrote: Gandi are another excellent registrar that I can recommend. They have a comprehensive API for all their features, including

Re: botched KSK rollover

2017-08-21 Thread Matthew Pounsett
On 21 August 2017 at 07:18, Phil Mayers wrote: > > Gandi are another excellent registrar that I can recommend. They have a > comprehensive API for all their features, including uploading DNSSEC public > keys and consequent creation of the DS record. > > I'm hoping CDS

Re: botched KSK rollover

2017-08-21 Thread Phil Mayers
On 18/08/17 16:25, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Sigh, it sure would be nice if I had a registrar with a means to automate DS submission. You might want to look at gkg.net Gandi are another excellent registrar that I can recommend. They have a

Re: [ot] botched KSK rollover

2017-08-18 Thread PGNet Dev
You might want to look at gkg.net fyi @ Gandi rich DNS(SEC) API with XML-RPC call support & docs for python, php, nodejs, perl, ruby & c http://doc.rpc.gandi.net/domain/reference.html ___ Please visit

[ot] Re: botched KSK rollover

2017-08-18 Thread /dev/rob0
On Fri, Aug 18, 2017 at 08:25:00AM -0700, Carl Byington wrote: > > Sigh, it sure would be nice if I had a registrar with a means > > to automate DS submission. > > You might want to look at gkg.net I've been planning to do that for a long time, I guess this is a reason to move on that. I was

Re: botched KSK rollover

2017-08-18 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > Sigh, it sure would be nice if I had a registrar with a means to > automate DS submission. You might want to look at gkg.net -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux)

Re: botched KSK rollover

2017-08-18 Thread Michał Kępień
> I added a week to inactivation, > > # dnssec-settime -I+1w Knodns4.us.+005+60073.key > > I thought I should then try deactivating the new one, I am not sure whether this is really what you wanted to achieve, but in any case "dnssec-settime -i ... -S ..." only sets publication and activation

botched KSK rollover

2017-08-17 Thread /dev/rob0
Oops. I had it all figured out about 2 months ago and had generated new keys for ZSK (which I rolled over right away) and KSK. The KSK change was slated for yesterday, but I forgot to get the DS to the parent zone before the inactivation of the previous KSK. Sigh, it sure would be nice if I