The following should work. I’ve not tested it.
zone=“$1"
shift
dig axfr -q "${zone}" |
tr '[A-Z]' '[a-z]' |
awk ‘
BEGIN { zone=“” }
$4 == “soa” { zone=$1 }
$1 != zone && $4 == "ns" { print "cds", $1 }' |
sort -u |
dig -f - |
awk '
BEGIN { last = ""; secure=0 }
$1 = ";;" && $2 == "flags:" {
if (/ad;/) {
secure=1
} else {
secure=0
}
}
secure == 1 && $4 == "CDS" {
if (last != $1) {
if (last != "") {
print "send"
}
print "update delete", $1, "DS"
last = $1;
}
if ($5 != "0" && $6 != "0" && $7 != "00") {
$4 = "DS"
print "update add", $0
}
}
END { if (last != "") { print "send" } }
' |
nsupdate “$@"
> On 16 Apr 2021, at 03:54, Bob Harold <rharo...@umich.edu> wrote:
>
>
> On Thu, Apr 15, 2021 at 12:44 PM Tony Finch <d...@dotat.at> wrote:
> Matthijs Mekking <matth...@isc.org> wrote:
> > On 15-04-2021 16:35, Bob Harold wrote:
> > >
> > > If BIND holds both the child and parent zone, will it add the DS record
> > > at the correct time? Or do I still need to write scripts to update the
> > > DS records in all my sub-zones? And is there some signal from BIND at
> > > the time the DS record should be written, or do i need to calculate the
> > > right time?
> >
> > Currently you still have to write scripts to update DS records in all
> > your parent zones.
> >
> > The CDS/CDNSKEY records are published in the child zones that indicate
> > the DS should be published, so I would script against that.
> >
> > Then when the DS is seen in the parent, call the rndc dnssec -checkds
> > published/withdrawn command.
>
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
>
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.
>
> Tony.
> --
> f.anthony.n.finch <d...@dotat.at> https://dotat.at/
> Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
> becoming rough later in west. Fair. Good.
>
> Seeing that I still need some scripting, does anyone already have scripts
> that work?
>
> --
> Bob Harold
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
