Re: hooks in bind's DNSSEC automation to trigger external scripting of DS RECORDS updates, when CDS/CDNSKEY polling is (still) not available?

Wed, 16 Jun 2021 08:04:22 -0700 

@jpmens was kind enough to share the original basis for the simple perl script 
referenced above,
which to recollection was 'mainly an example taken from the Net::DNS 
documentation.'

Logging of CDS/CDNSKEY generation for workflow 
https://gitlab.isc.org/isc-projects/bind9/-/issues/1748
--------------------------------
#!/usr/bin/perl -w

use strict;
use Net::DNS::Nameserver;
sub notification { 
    my ($qname, $qclass, $qtype, $peer, $packet) = @_;

    # We are being notified (NOTIFY) for domain $qname.

    print "WOW. Got NOTIFY for $qname!\n";

    # Submit this notification to your monitoring system. In
    # the case of Nagios, you could update a database table
    # from which it later reads the result, or you can
    # implement a passive notification, etc.

    return ('NOERROR', [], [], [],
                       { aa => 1, opcode => 'NS_NOTIFY_OP'});
}

sub handler {
    my ($qname, $qclass, $qtype, $peer) = @_;
    my (@ans, @auth, @add);

    return ('SERVFAIL', \@ans, \@auth, \@add);
}
my $ns = Net::DNS::Nameserver->new( 
    LocalAddr    => '127.0.0.2',
    LocalPort    => 53,
    ReplyHandler => \&handler,      # Unused, but needs defining
    NotifyHandler => \&notification,
    Verbose      => 0,
    Debug    => 0,
) || die("Can't create nameserver object: $!");

$ns->main_loop;
--------------------------------


He also mentioned

        Logging of CDS/CDNSKEY generation for workflow
         https://gitlab.isc.org/isc-projects/bind9/-/issues/1748

which requests:

        Would it be possible to log CDS/CDNSKEY generation in such a way as that a 
"simple" workflow can be implemented in order to create tooling which reacts on 
the log and performs a dynamic update on a parent zone.
        Whenever a CDS/CDNSKEY is published in a child zone, BIND could create 
a log record indicating for which zone this has occurred.

and appears to have been implemented (?), but not committed/released.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to