Roadmap for DNSSEC signing/automation?
Tony Finch
dot at dotat.at
Tue Mar 13 21:46:02 UTC 2018
Evan Hunt <each at isc.org> wrote:
>
> KSK rollovers are still trickier since they require interaction with
> your parent zone. I hope to get support for CDS/CDNSKEY signaling into
> dnssec-keymgr, but whether that ultimately will be useful or not depends
> on whether domain registrars make use of it.
Even if your parent doesn't have RFC 7344 support, they probably have some
API you can use (or if you are really stuck you can script their website
with a headless browser). The interlocks and checking that dhssec-keymgr
needs for RFC 7344 will also be useful for supporting generic delegation
update API hooks.
This is one of my longstanging background projects (very slow incremental
progress) both as a parent (e.g. dnssec-cds) and as a child (why I learned
about headless browsers, ugh).
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fair Isle: Variable 4 at first in east, otherwise southeast 5 to 7, perhaps
gale 8 later. Moderate or rough. Fair. Good.
More information about the bind-users
mailing list