Ask for automated KSK roll with DS checking

Mark Andrews marka at isc.org
Fri Apr 16 02:49:06 UTC 2021 

and the following for the child side should work.  If you are only interested
in DS algorithm 2 check that $6 == 2 (&& $6 == 2) when selecting DS and CDS records from the
stream.  Again untested.

while read zone garbage
do
        ( echo "ds -q $zone"; echo "cds -q $zone"; ) |
        dig +noall +answer +nottl -f - |
        tr '[A-Z]' '[a-z]' |
        sort |
        awk 'BEGIN { last = "" ; cds=""; ds="" }
        $3 == "cds" {
                if ($1 != last) {
                        if (last != "" && cds == ds) {
                                print "rndc dnssec -checkds published", last
                        }
                        if (last != "" && ds == "" && match(cds, "0 0 00")) {
                                print "rndc dnssec -checkds withdrawn", last
                        }
                        last=$1; cds=""; ds=""
                }
                csd=cds " " $0
        }
        $3 == "ds" {
                ds=ds " " $0
        }
        END {
                if (last != "" && cds == ds) {
                        print "rndc --checkds published", last
                } 
                if (last != "" && ds == "" && match(cds, "0 0 00")) {
                        print "rndc dnssec -checkds withdrawn", last
                }
        }'
done

> On 16 Apr 2021, at 03:54, Bob Harold <rharolde at umich.edu> wrote:
> 
> 
> On Thu, Apr 15, 2021 at 12:44 PM Tony Finch <dot at dotat.at> wrote:
> Matthijs Mekking <matthijs at isc.org> wrote:
> > On 15-04-2021 16:35, Bob Harold wrote:
> > >
> > > If BIND holds both the child and parent zone, will it add the DS record
> > > at the correct time?  Or do I still need to write scripts to update the
> > > DS records in all my sub-zones?  And is there some signal from BIND at
> > > the time the DS record should be written, or do i need to calculate the
> > > right time?
> >
> > Currently you still have to write scripts to update DS records in all
> > your parent zones.
> >
> > The CDS/CDNSKEY records are published in the child zones that indicate
> > the DS should be published, so I would script against that.
> >
> > Then when the DS is seen in the parent, call the rndc dnssec -checkds
> > published/withdrawn command.
> 
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
> 
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
> becoming rough later in west. Fair. Good.
> 
> Seeing that I still need some scripting, does anyone already have scripts that work?
> 
> -- 
> Bob Harold
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list