[Opendnssec-user] DelegationSignerSubmitCommand

Volker Janzen voja at voja.de
Fri Jun 24 12:28:09 UTC 2011


you're right, I want a script that that looks which DS records are
published at the TLD level and then tell OpenDNSSEC that they are

I'd try the following:

- Fetch all zones from OpenDNSSEC configuration (later perhaps only the
zones that are needed, when the installation gets bigger)
- Detect all(?) nameservers of the TLD for the zone
- Ask every TLD nameserver for DS records of the zone
- When one DS is present on every nameserver: push these to OpenDNSSEC
(should be no problem to push all into, OpenDNSSEC seems to know when it
has to do something, or not)

I don't know if this could work. Perhaps I just need some kind of
spooling, when OpenDNSSEC sends me DNSKEYs, that I wait then x hours
before proceeding the checks above.

What do you think?


On Fri, 24 Jun 2011 14:07:42 +0200, Casper Gielen <c.gielen at uvt.nl>
> Op 24-06-11 14:02, Craig Whitmore schreef:
>> On 24/06/11 11:10 PM, "Volker Janzen" <voja at voja.de> wrote:
>>> Hi,
>>> that's what I want to do: pass DNSKEYs to my registrar.
>>> But I also need to write a cron that can check the DS records at the
>>> TLD zone and pass them to OpenDNSSEC. Or can OpenDNSSEC detect the DS
>>> records on its own?
>>> Greetings
>>>   Volker
>> You send (depending on your country/upstream) YOUR domains DS(s) or
>> DNSKEY(s). (not the other way)
> You'll have to wait for upstream to publish the DS before you can start
> using the DNSKEYS. I think that Volker wants a script that signals
> opendnssec when this has happened. I've also considered writing such a
> script but I haven't gotten around to it yet.

More information about the Opendnssec-user mailing list