Ask for automated KSK roll with DS checking
Tony Finch
dot at dotat.at
Thu Apr 15 16:44:14 UTC 2021
Matthijs Mekking <matthijs at isc.org> wrote:
> On 15-04-2021 16:35, Bob Harold wrote:
> >
> > If BIND holds both the child and parent zone, will it add the DS record
> > at the correct time? Or do I still need to write scripts to update the
> > DS records in all my sub-zones? And is there some signal from BIND at
> > the time the DS record should be written, or do i need to calculate the
> > right time?
>
> Currently you still have to write scripts to update DS records in all
> your parent zones.
>
> The CDS/CDNSKEY records are published in the child zones that indicate
> the DS should be published, so I would script against that.
>
> Then when the DS is seen in the parent, call the rndc dnssec -checkds
> published/withdrawn command.
dnssec-cds can tell you what the parental DS record(s) should be. It
can maintain a dsset file for each child zone that you can $INCLUDE in the
parent. It's fairly bare so it needs to be wrapped with a script that does
the necessary queries and updates.
I don't know if the dnssec-policy stuff includes timing parameters or
checks to protect against parental publication delays; if not then the
wrapper script will have to keep track of time or poll the parent servers
or something.
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
becoming rough later in west. Fair. Good.
More information about the bind-users
mailing list