AW: Roadmap for DNSSEC signing/automation?
Stelzner, Tore
tore.stelzner at hrz.tu-darmstadt.de
Wed Mar 14 07:19:46 UTC 2018
Hello,
we use dnssec-keymgr for the key management and it is really helpful. My current feature request would be wildcards in the config file but maybe it is already there as I still have to check the updates brought by Bind 9.12.
For KSK updates and rollovers we use some scripts by a third company that work with the API of the domain reseller. At the moment it seems to be very specific for the API of this reseller and so nothing to share.
There is one test domain with a KSK rollover every 4 month so I have something that reminds me that there is still some work to do. My current goal is to add and delete keys with some scripts triggered by the dates in the key files.
Thank you, Tore
--
Tore Stelzner
Technische Universität Darmstadt, Kommunikationssysteme
Hochschulrechenzentrum, Hochschulstr. 1, 64289 Darmstadt
Tel. +49 6151 16-71037, Fax +49 6151 16-71188, http://www.hrz.tu-darmstadt.de
-----Ursprüngliche Nachricht-----
Von: bind-users [mailto:bind-users-bounces at lists.isc.org] Im Auftrag von Tony Finch
Gesendet: Dienstag, 13. März 2018 22:46
An: Evan Hunt <each at isc.org>
Cc: bind-users at isc.org
Betreff: Re: Roadmap for DNSSEC signing/automation?
Evan Hunt <each at isc.org> wrote:
>
> KSK rollovers are still trickier since they require interaction with
> your parent zone. I hope to get support for CDS/CDNSKEY signaling into
> dnssec-keymgr, but whether that ultimately will be useful or not depends
> on whether domain registrars make use of it.
Even if your parent doesn't have RFC 7344 support, they probably have some
API you can use (or if you are really stuck you can script their website
with a headless browser). The interlocks and checking that dhssec-keymgr
needs for RFC 7344 will also be useful for supporting generic delegation
update API hooks.
This is one of my longstanging background projects (very slow incremental
progress) both as a parent (e.g. dnssec-cds) and as a child (why I learned
about headless browsers, ugh).
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fair Isle: Variable 4 at first in east, otherwise southeast 5 to 7, perhaps
gale 8 later. Moderate or rough. Fair. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list