Re: BIND operating in Parental Agent role (according to RFC 7344)?
On 12/04/2023 7:51 pm, Petr Špaček wrote: There is a philosophical question whether this is something a DNS server should do. You make a very good point. There are external tools which can automate zone scan, e.g. https://github.com/CZ-NIC/fred-cdnskey-scanner It hadn't occurred to me to look for a third-party solution. :-P I suppose that it should be possible to glue it to standard DNS UPDATE mechanism and thus make it work with any standard DNS server. I must admit I was hoping for a solution that didn't require me to convert my main zone into a dynamic zone - i.e. something that would work within the inline-signing framework. But perhaps I was being overly optimistic? I've decided I'll stick with manual KSK roll-overs for now... :-) Thanks again. Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND operating in Parental Agent role (according to RFC 7344)?
On 12. 04. 23 5:38, Nick Tait via bind-users wrote: I'm currently running a few DNSSEC zones in BIND using dnssec-policy option, albeit with an unlimited lifetime on the KSK, so that I can control KSK roll-overs (which is necessary because my Registrar doesn't support RFC 7344)... Anyway I know that BIND supports RFC 7344 via parental-agents option when BIND is operating in the 'Child' role; but my question is whether BIND currently supports (or if there are any plans for BIND to support) RFC 7344 with BIND operating in the 'Parental Agent' (and 'Parent') capacity. In other words, can BIND be configured to poll a child zone for CDS/CDNSKEY records, and automatically add corresponding DS records into a zone that it controls? If this isn't on the radar already, I'll be happy to submit an enhancement request? There is a philosophical question whether this is something a DNS server should do. There are external tools which can automate zone scan, e.g. https://github.com/CZ-NIC/fred-cdnskey-scanner I suppose that it should be possible to glue it to standard DNS UPDATE mechanism and thus make it work with any standard DNS server. -- Petr Špaček -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND operating in Parental Agent role (according to RFC 7344)?
Hi list. I'm currently running a few DNSSEC zones in BIND using dnssec-policy option, albeit with an unlimited lifetime on the KSK, so that I can control KSK roll-overs (which is necessary because my Registrar doesn't support RFC 7344)... Anyway I know that BIND supports RFC 7344 via parental-agents option when BIND is operating in the 'Child' role; but my question is whether BIND currently supports (or if there are any plans for BIND to support) RFC 7344 with BIND operating in the 'Parental Agent' (and 'Parent') capacity. In other words, can BIND be configured to poll a child zone for CDS/CDNSKEY records, and automatically add corresponding DS records into a zone that it controls? If this isn't on the radar already, I'll be happy to submit an enhancement request? Thanks, Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users