hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
PGNet Dev
pgnet.dev at gmail.com
Tue Jun 15 22:34:53 UTC 2021
On 6/15/21 4:40 PM, Tony Finch wrote:
> How should named say that a key has changed? It's a multithreaded program
> so it can't fork (not without a single-threaded helper process) so maybe
> it should fire off a message to a socket that the script machinery can
> listen to. (Maybe abuse NOTIFY for the purpose?) The feedback loop can be
> closed using an rndc command.
With a NOTIFY, something like _your_ old listener
nsnotifyd: handle DNS NOTIFY messages by running a command
https://dotat.at/prog/nsnotifyd/
https://github.com/fanf2/nsnotifyd
gets interesting.
Don't know yet how dusty that is, or relevant to current bind 9.16+, etc. --
-- but the general 'respond immediately to a NOTIFY' sounds quite useful.
More information about the bind-users
mailing list