On 17. 10. 18 16:51, Tony Finch wrote: > At the end of his talk at the RIPE meeting this morning, Ondřej Caletka > mentioned his work on automated updates to DNSSEC delegations using CDS > records: > > https://ripe77.ripe.net/programme/meeting-plan/dns-wg/ > > I commented at the mic to say that this is something I am very keen on. I > wrote `dnssec-cds` (an implementation of RFC7344 and section 4 of RFC8078) > to help improve DNSSEC automation, and it is included in BIND 9.12 and > later. > > https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/man.dnssec-cds.html > > Ondřej's setup uses a special `mntner` with RIPE database API access to > indicate which zones should have their DS records updated automatically. > This is a nice way to control permissions when the update process is > running outside the RIPE database, but I expect it can be made neater if > it is integrated more closely. > > I would like to help get RFC 7344 support into the RIPE database, so what > do we need to do next to make it happen?
BTW scanner tool (for registry side) is available from https://github.com/CZ-NIC/fred-cdnskey-scanner -- Petr Špaček @ CZ.NIC
