Ask for automated KSK roll with DS checking
Mark Andrews
marka at isc.org
Fri Apr 16 02:49:06 UTC 2021
and the following for the child side should work. If you are only interested
in DS algorithm 2 check that $6 == 2 (&& $6 == 2) when selecting DS and CDS records from the
stream. Again untested.
while read zone garbage
do
( echo "ds -q $zone"; echo "cds -q $zone"; ) |
dig +noall +answer +nottl -f - |
tr '[A-Z]' '[a-z]' |
sort |
awk 'BEGIN { last = "" ; cds=""; ds="" }
$3 == "cds" {
if ($1 != last) {
if (last != "" && cds == ds) {
print "rndc dnssec -checkds published", last
}
if (last != "" && ds == "" && match(cds, "0 0 00")) {
print "rndc dnssec -checkds withdrawn", last
}
last=$1; cds=""; ds=""
}
csd=cds " " $0
}
$3 == "ds" {
ds=ds " " $0
}
END {
if (last != "" && cds == ds) {
print "rndc --checkds published", last
}
if (last != "" && ds == "" && match(cds, "0 0 00")) {
print "rndc dnssec -checkds withdrawn", last
}
}'
done
> On 16 Apr 2021, at 03:54, Bob Harold <rharolde at umich.edu> wrote:
>
>
> On Thu, Apr 15, 2021 at 12:44 PM Tony Finch <dot at dotat.at> wrote:
> Matthijs Mekking <matthijs at isc.org> wrote:
> > On 15-04-2021 16:35, Bob Harold wrote:
> > >
> > > If BIND holds both the child and parent zone, will it add the DS record
> > > at the correct time? Or do I still need to write scripts to update the
> > > DS records in all my sub-zones? And is there some signal from BIND at
> > > the time the DS record should be written, or do i need to calculate the
> > > right time?
> >
> > Currently you still have to write scripts to update DS records in all
> > your parent zones.
> >
> > The CDS/CDNSKEY records are published in the child zones that indicate
> > the DS should be published, so I would script against that.
> >
> > Then when the DS is seen in the parent, call the rndc dnssec -checkds
> > published/withdrawn command.
>
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
>
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> https://dotat.at/
> Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
> becoming rough later in west. Fair. Good.
>
> Seeing that I still need some scripting, does anyone already have scripts that work?
>
> --
> Bob Harold
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list