hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
PGNet Dev
pgnet.dev at gmail.com
Thu Jun 10 12:18:57 UTC 2021
DNSSEC signing using Bind 9.16.x's internal/automated key mgmt correctly
generates PublishCDS, DSChange, DSState data for the KSK .state.
Subsequent published data correctly contains CDS/CDNSKEY data.
Most registrars are still incapable of polling for updates, and require, at
best, API push of DS Records for promotion to TLD parent.
("We're looking into it ..." and "You should expect it by the end of year ..."
seems to be the most common, years-long excuses ... er ... promises I've gotten).
About a year ago, I'd submitted
"automation of DS Record submit to registrar/parent, integrated with 'new'
kasp/dnssec-policy support in bind"
https://gitlab.isc.org/isc-projects/bind9/-/issues/1890
So far, no visible progress.
Before bind's current, integrated approach, I'd done some sloppy scripting with
opendnssec, and it ended up being a fragile mess.
I can certainly can set up kludgy, async polling scripts &/or cronjobs to do the
same with bind; It seems so 1990s :-/ Just looking for something more integrated.
Short of the registrars getting a clue anytime soon, or moving to .CZ/.CH where
CDS/CDNSKEY polling seems uniquely doable ...
Has anyone here on-list figured out how to hook bind's internal signing process
to *trigger* and external script to exec those API pushes?
Also, input/comment from devs here, &/or @ #1890 would be appreciated.
More information about the bind-users
mailing list