Hi Casper, Cool :)
> I've written a little script that checks if a DS is available from DNS and, > if so, automatically issues the ds-seen command. It's a replacement for > manually checking the DS and calling "ods-ksmutil key ds-seen ....". We're rolling out a similar thing at SURFnet, which could be an alternative to this script, at least for some users. Our thing automates all stages from DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up). I'll write a posting about that on our blog https://dnssec.surfnet.nl/ in a while. After my head stops spinning from flue :-S > Warning 1: This may be a stupid idea. It could be argued that human > validation of this step is a good thing. Do not use this script if you do not > completely understand what it does. The real harm would have been done then I think? If you want to check manually, it ought to be done when rolling your DNSKEY and/or DS uphill (to the parent). When it starts rolling down on the other side of the hilltop it's probably too late to stop? > Warning 2: This script has not been properly tested. Do not use it in a > production environment. Ah, you're looking for $\alpha$ testers ;-) > I'm looking for opinions on if this is a useful solution or accident waiting > to happen. Did you like the interface of OpenDNSSEC? I didn't like that it refused to silently ignore repeated ds-seen due to a script that somehow missed a previous ds-seen. Cheers, -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
