Matthijs Mekking <matth...@isc.org> wrote:
> On 15-04-2021 16:35, Bob Harold wrote:
> >
> > If BIND holds both the child and parent zone, will it add the DS record
> > at the correct time? Or do I still need to write scripts to update the
> > DS records in all my sub-zones? And is there some signal from BIND at
> > the time the DS record should be written, or do i need to calculate the
> > right time?
>
> Currently you still have to write scripts to update DS records in all
> your parent zones.
>
> The CDS/CDNSKEY records are published in the child zones that indicate
> the DS should be published, so I would script against that.
>
> Then when the DS is seen in the parent, call the rndc dnssec -checkds
> published/withdrawn command.
dnssec-cds can tell you what the parental DS record(s) should be. It
can maintain a dsset file for each child zone that you can $INCLUDE in the
parent. It's fairly bare so it needs to be wrapped with a script that does
the necessary queries and updates.
I don't know if the dnssec-policy stuff includes timing parameters or
checks to protect against parental publication delays; if not then the
wrapper script will have to keep track of time or poll the parent servers
or something.
Tony.
--
f.anthony.n.finch <d...@dotat.at> https://dotat.at/
Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
becoming rough later in west. Fair. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
