Ask for automated KSK roll with DS checking

Mark Andrews marka at isc.org
Fri Apr 16 01:56:25 UTC 2021 

The following should work.  I’ve not tested it.

zone=“$1"
shift
dig axfr -q "${zone}" |
tr '[A-Z]' '[a-z]' |
awk ‘
BEGIN { zone=“” }
$4 == “soa” { zone=$1 }
$1 != zone && $4 == "ns" { print "cds", $1 }' |
sort -u |
dig -f - |
awk '
BEGIN { last = ""; secure=0 }
$1 = ";;" && $2 == "flags:" {
        if (/ad;/) {
                secure=1
        } else {
                secure=0
        }
}
secure == 1 && $4 == "CDS" {
        if (last != $1) {
                if (last != "") {
                        print "send"
                }
                print "update delete", $1, "DS"
                last = $1;
        }
        if ($5 != "0" && $6 != "0" && $7 != "00") {
                $4 = "DS"
                print "update add", $0
        }
}
END { if (last != "") { print "send" } }
' |
nsupdate “$@"


> On 16 Apr 2021, at 03:54, Bob Harold <rharolde at umich.edu> wrote:
> 
> 
> On Thu, Apr 15, 2021 at 12:44 PM Tony Finch <dot at dotat.at> wrote:
> Matthijs Mekking <matthijs at isc.org> wrote:
> > On 15-04-2021 16:35, Bob Harold wrote:
> > >
> > > If BIND holds both the child and parent zone, will it add the DS record
> > > at the correct time?  Or do I still need to write scripts to update the
> > > DS records in all my sub-zones?  And is there some signal from BIND at
> > > the time the DS record should be written, or do i need to calculate the
> > > right time?
> >
> > Currently you still have to write scripts to update DS records in all
> > your parent zones.
> >
> > The CDS/CDNSKEY records are published in the child zones that indicate
> > the DS should be published, so I would script against that.
> >
> > Then when the DS is seen in the parent, call the rndc dnssec -checkds
> > published/withdrawn command.
> 
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
> 
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
> becoming rough later in west. Fair. Good.
> 
> Seeing that I still need some scripting, does anyone already have scripts that work?
> 
> -- 
> Bob Harold
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list