[Opendnssec-user] ods-dsseen: automatic activation of DNSKEYS
Casper Gielen
c.gielen at uvt.nl
Thu Feb 21 16:21:40 UTC 2013
Hello,
I've written a little script that checks if a DS is available from DNS and, if so, automatically issues the ds-seen command. It's a replacement for manually checking the DS and calling "ods-ksmutil key ds-seen ....".
Warning 1: This may be a stupid idea. It could be argued that human validation of this step is a good thing. Do not use this script if you do not completely understand what it does.
Warning 2: This script has not been properly tested. Do not use it in a production environment.
I'm looking for opinions on if this is a useful solution or accident waiting to happen.
example:
root at ramanujan:~# ods-dsseen
usage: ./ods-dsseen [--activate|--force|--quiet|--help] <zone|...>
Check if all DS-records are available through DNS and (optionally) activate the key.
--help Display this help text.
--activate Activate the key if the DS is found.
--force Force activation of keys that are not available (implies --activate).
--all Apply to all zones known to ODS with outstanding DSes.
--really-all Apply to all zones, required or not.
root at ramanujan:~# ods-dsseen --activate --all
The key(s) with tag example1.com:17467 are not available from DNS.
The key(s) with tag example2:com:63143 are not available from DNS.
The key(s) with tag example3.com:78321 are not available from DNS.
The key(s) with tag example4.com:12371 are available from DNS.
Found key with CKA_ID 41a90b0939a55045059afa599c53e9ee
Key 41a90b0939a55045059afa599c53e9ee made active
Old key retired
Key example4.com:12371 activated.
All keys for example4.com are available from DNS.
The key(s) with tag example5:com:63143 is not available from DNS.
The key(s) with tag example6.com:78321 is not available from DNS.
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ods-dsseen
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130221/7b23538f/attachment.ksh>
More information about the Opendnssec-user
mailing list