DNSSEC signing using Bind 9.16.x's internal/automated key mgmt correctly
generates PublishCDS, DSChange, DSState data for the KSK .state.
Subsequent published data correctly contains CDS/CDNSKEY data.
Most registrars are still incapable of polling for updates, and require, at
best, API push of DS Records for promotion to TLD parent.
("We're looking into it ..." and "You should expect it by the end of year ..."
seems to be the most common, years-long excuses ... er ... promises I've gotten).
About a year ago, I'd submitted
"automation of DS Record submit to registrar/parent, integrated with 'new'
kasp/dnssec-policy support in bind"
https://gitlab.isc.org/isc-projects/bind9/-/issues/1890
So far, no visible progress.
Before bind's current, integrated approach, I'd done some sloppy scripting with
opendnssec, and it ended up being a fragile mess.
I can certainly can set up kludgy, async polling scripts &/or cronjobs to do the
same with bind; It seems so 1990s :-/ Just looking for something more integrated.
Short of the registrars getting a clue anytime soon, or moving to .CZ/.CH where
CDS/CDNSKEY polling seems uniquely doable ...
Has anyone here on-list figured out how to hook bind's internal signing process
to *trigger* and external script to exec those API pushes?
Also, input/comment from devs here, &/or @ #1890 would be appreciated.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
