This is where we need to get the registrars to follow standards. They are written so everyone doesn’t have to cobble together ad-hoc solutions. Hourly scans of all the DNSSEC delegations by the registrars would do.
Personally I prefer push solutions but I couldn’t get the IETF to agree. https://tools.ietf.org/html/draft-andrews-dnsop-update-parent-zones-04 Mark > On 27 May 2020, at 01:56, PGNet Dev <pgnet....@gmail.com> wrote: > > i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in > my bind 9.16.3. > > the new policy does a nice job of streamlining the signing/key mgmt. > > after key generation/rotation, the 'last step' is submitting new/changed DS > Records to the relevant registrar > > i'd like to automate the process of submitting generated DS Records to the > registrar/parent using a capable registrar's DNSSEC API. > > as i understand, there is neither any mechanism in Bind for automating the DS > Record submit, nor is there > an external hook mechanism to external scripts that can handle the task. > > offline, it's been suggested to me that with the current version of bind, a > 'best' approach would be to write a simple script that checks for the > existence of the CDS/CDNSKEY RRset in each signed zone. > > then, when a new record is added, trigger a submission of the DS to the > parent. and, similarly, when a record is removed, trigger a withdrawal of the > DS. > > rather than re-inventing the wheel ... i'm guessing i'm not the only one > who'd like to automate this. > > > > has anyone here done this effectively already, with a script/solution that > can be shared? > > are there any plans in place, or existing dev discussion, to address this > within bind itself? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users