i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3.
the new policy does a nice job of streamlining the signing/key mgmt. after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API. as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there an external hook mechanism to external scripts that can handle the task. offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone. then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS. rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this. has anyone here done this effectively already, with a script/solution that can be shared? are there any plans in place, or existing dev discussion, to address this within bind itself? _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
