hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?
PGNet Dev
pgnet.dev at gmail.com
Tue Jun 15 14:32:03 UTC 2021
On 6/10/21 8:38 AM, Tony Finch wrote:
> PGNet Dev <pgnet.dev at gmail.com> wrote:
>>
>> Has anyone here on-list figured out how to hook bind's internal signing
>> process to *trigger* and external script to exec those API pushes?
>
> I have not, and I also want to be able to do this, and I also want
> scripting hooks for whenever any keys change so that I can stash them
> somewhere safer.
>
> Tony.
fyi, @
automation of DS Record submit to registrar/parent, integrated with 'new' kasp/dnssec-policy support in bind
https://gitlab.isc.org/isc-projects/bind9/-/issues/1890
the current feedback is " ... we think the best way is that the user scripts this by them self ... "
and follows with " ... it is more likely that the CDS/CDNSKEY polling will be more common than pushing DS updates. A couple of TLDs have implemented this already and it looks like there is some movement on this topic in the Registrar world."
Of course inaction by TLDs & Registrars has been years-long ...
More information about the bind-users
mailing list