BIND operating in Parental Agent role (according to RFC 7344)?
Petr Špaček
pspacek at isc.org
Wed Apr 12 07:51:42 UTC 2023
On 12. 04. 23 5:38, Nick Tait via bind-users wrote:
> I'm currently running a few DNSSEC zones in BIND using dnssec-policy
> option, albeit with an unlimited lifetime on the KSK, so that I can
> control KSK roll-overs (which is necessary because my Registrar doesn't
> support RFC 7344)...
>
> Anyway I know that BIND supports RFC 7344 via parental-agents option
> when BIND is operating in the 'Child' role; but my question is whether
> BIND currently supports (or if there are any plans for BIND to support)
> RFC 7344 with BIND operating in the 'Parental Agent' (and 'Parent')
> capacity.
>
> In other words, can BIND be configured to poll a child zone for
> CDS/CDNSKEY records, and automatically add corresponding DS records into
> a zone that it controls?
>
> If this isn't on the radar already, I'll be happy to submit an
> enhancement request?
There is a philosophical question whether this is something a DNS server
should do.
There are external tools which can automate zone scan, e.g.
https://github.com/CZ-NIC/fred-cdnskey-scanner
I suppose that it should be possible to glue it to standard DNS UPDATE
mechanism and thus make it work with any standard DNS server.
--
Petr Špaček
More information about the bind-users
mailing list