1. Forum
  2. Newsgroups
  3. comp.protocols.dns.bind

  • automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

    From PGNet Dev@[email protected] to bind-users on Tue May 26 08:56:34 2020
    From Newsgroup: comp.protocols.dns.bind

    i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3.

    the new policy does a nice job of streamlining the signing/key mgmt.

    after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar

    i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API.

    as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there
    an external hook mechanism to external scripts that can handle the task.

    offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone.

    then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS.

    rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this.



    has anyone here done this effectively already, with a script/solution that can be shared?

    are there any plans in place, or existing dev discussion, to address this within bind itself?
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From PGNet Dev@[email protected] to Mark Andrews on Wed May 27 10:35:25 2020
    From Newsgroup: comp.protocols.dns.bind

    On 5/26/20 4:50 PM, Mark Andrews wrote:
    This is where we need to get the registrars to follow standards. They are written
    so everyone doesn’t have to cobble together ad-hoc solutions. Hourly scans of all
    the DNSSEC delegations by the registrars would do.

    push solutions

    sounds reasonable. at very least, better than nothing.

    in the absence of a standards-based solution, any options for hooks in bind to external scripts, even if ad-hoc?

    e.g., "if when change in DS Record in local bind, then fire this external script which will manage the DS submit/withdraw via API to registrar"

    a completely de-coupled solution, independent of bind itself, is doable -- but again, ad-hoc, and seems a step backwards given the nice progress with dnssec-policy/kasp simplifications in recent versions.

    if that's all there is, know of any existing, proven ad-hoc solutions?
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From PGNet Dev@[email protected] to =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= on Wed May 27 12:39:08 2020
    From Newsgroup: comp.protocols.dns.bind

    On 5/27/20 11:56 AM, Ondřej Surý wrote:
    Please submit a feature request to our GitLab instance.
    https://gitlab.isc.org/isc-projects/bind9/-/issues/1890




    --- Synchronet 3.18a-Linux NewsLink 1.113