At the end of his talk at the RIPE meeting this morning, Ondřej Caletka mentioned his work on automated updates to DNSSEC delegations using CDS records:
https://ripe77.ripe.net/programme/meeting-plan/dns-wg/ I commented at the mic to say that this is something I am very keen on. I wrote `dnssec-cds` (an implementation of RFC7344 and section 4 of RFC8078) to help improve DNSSEC automation, and it is included in BIND 9.12 and later. https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/man.dnssec-cds.html Ondřej's setup uses a special `mntner` with RIPE database API access to indicate which zones should have their DS records updated automatically. This is a nice way to control permissions when the update process is running outside the RIPE database, but I expect it can be made neater if it is integrated more closely. I would like to help get RFC 7344 support into the RIPE database, so what do we need to do next to make it happen? Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Hebrides, Bailey: Westerly backing southerly later, 5 to 7, occasionally gale 8 at first in north Bailey. Rough or very rough, occasionally high at first in north Bailey. Showers, rain later. Good, occasionally moderate.
