Re: Ask for automated KSK roll with DS checking

On 15-04-2021 18:44, Tony Finch wrote: Matthijs Mekking wrote: On 15-04-2021 16:35, Bob Harold wrote: If BIND holds both the child and parent zone, will it add the DS record at the correct time?  Or do I still need to write scripts to update the DS records in all my sub-zones?  And is there

Re: Ask for automated KSK roll with DS checking

and the following for the child side should work. If you are only interested in DS algorithm 2 check that $6 == 2 (&& $6 == 2) when selecting DS and CDS records from the stream. Again untested. while read zone garbage do ( echo "ds -q $zone"; echo "cds -q $zone"; ) | dig +noall

Re: Ask for automated KSK roll with DS checking

The following should work. I’ve not tested it. zone=“$1" shift dig axfr -q "${zone}" | tr '[A-Z]' '[a-z]' | awk ‘ BEGIN { zone=“” } $4 == “soa” { zone=$1 } $1 != zone && $4 == "ns" { print "cds", $1 }' | sort -u | dig -f - | awk ' BEGIN { last = ""; secure=0 } $1 = ";;" && $2 == "flags:" {

Re: Ask for automated KSK roll with DS checking

On Thu, Apr 15, 2021 at 12:44 PM Tony Finch wrote: > Matthijs Mekking wrote: > > On 15-04-2021 16:35, Bob Harold wrote: > > > > > > If BIND holds both the child and parent zone, will it add the DS record > > > at the correct time? Or do I still need to write scripts to update the > > > DS recor

Re: Ask for automated KSK roll with DS checking

Matthijs Mekking wrote: > On 15-04-2021 16:35, Bob Harold wrote: > > > > If BIND holds both the child and parent zone, will it add the DS record > > at the correct time?  Or do I still need to write scripts to update the > > DS records in all my sub-zones?  And is there some signal from BIND at >

Re: Ask for automated KSK roll with DS checking

On 15-04-2021 16:35, Bob Harold wrote: On Thu, Apr 15, 2021 at 8:50 AM Bob Harold > wrote: On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking mailto:matth...@isc.org>> wrote: On 14-04-2021 22:30, Greg Rivers via bind-users wrote: > On Wednesd

Re: Ask for automated KSK roll with DS checking

On Thu, Apr 15, 2021 at 8:50 AM Bob Harold wrote: > > On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking wrote: > >> >> >> On 14-04-2021 22:30, Greg Rivers via bind-users wrote: >> > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote: >> >> Does anyone have an automated KSK roll process, th

Re: Ask for automated KSK roll with DS checking

On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking wrote: > > > On 14-04-2021 22:30, Greg Rivers via bind-users wrote: > > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote: > >> Does anyone have an automated KSK roll process, that checks for the DS > >> record at the parent, that they can

Re: Ask for automated KSK roll with DS checking

On 14-04-2021 22:30, Greg Rivers via bind-users wrote: On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote: Does anyone have an automated KSK roll process, that checks for the DS record at the parent, that they can share? As far as I can tell, the automated signing in BIND will roll th

Re: Ask for automated KSK roll with DS checking

On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote: > Does anyone have an automated KSK roll process, that checks for the DS > record at the parent, that they can share? > > As far as I can tell, the automated signing in BIND will roll the KSK if I > set the timing in the policy file, but i

Ask for automated KSK roll with DS checking

Does anyone have an automated KSK roll process, that checks for the DS record at the parent, that they can share? As far as I can tell, the automated signing in BIND will roll the KSK if I set the timing in the policy file, but it won't check the DS record, so it will happily break DNSSEC if some