Roadmap for DNSSEC signing/automation?
Evan Hunt
each at isc.org
Tue Mar 13 17:49:31 UTC 2018
On Tue, Mar 13, 2018 at 12:30:57PM -0400, Jim Popovitch via bind-users wrote:
> Is there a roadmap for DNSSEC signing capabilities? I'm specifically
> wondering if any features are planned to fully automate signing, such
> as being able to specify simple zone options like "dnssec-cycle=90d;"
> and having bind9 fully manage this, perpetually.
There are no plans to have named generate keys by itself. However, you can
run the "dnssec-keymgr" tool in a cron job and it'll keep your keys up to
date according to a defined policy, generating new ones as needed, and then
named will use them. In this way you can fully automate ZSK rollovers.
KSK rollovers are still trickier since they require interaction with
your parent zone. I hope to get support for CDS/CDNSKEY signaling into
dnssec-keymgr, but whether that ultimately will be useful or not depends
on whether domain registrars make use of it.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list