automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

Mark Andrews marka at isc.org
Tue May 26 23:50:32 UTC 2020 

This is where we need to get the registrars to follow standards.  They are written
so everyone doesn’t have to cobble together ad-hoc solutions.  Hourly scans of all
the DNSSEC delegations by the registrars would do.

Personally I prefer push solutions but I couldn’t get the IETF to agree.
https://tools.ietf.org/html/draft-andrews-dnsop-update-parent-zones-04

Mark

> On 27 May 2020, at 01:56, PGNet Dev <pgnet.dev at gmail.com> wrote:
> 
> i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3.
> 
> the new policy does a nice job of streamlining the signing/key mgmt.
> 
> after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar
> 
> i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API.
> 
> as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there
> an external hook mechanism to external scripts that can handle the task.
> 
> offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone.
> 
> then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS.
> 
> rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this.
> 
> 
> 
> has anyone here done this effectively already, with a script/solution that can be shared?
> 
> are there any plans in place, or existing dev discussion, to address this within bind itself?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list