[Opendnssec-user] ods-dsseen: automatic activation of DNSKEYS
Rick van Rein
rick at openfortress.nl
Thu Feb 21 18:02:02 UTC 2013
> I've written a little script that checks if a DS is available from DNS and, if so, automatically issues the ds-seen command. It's a replacement for manually checking the DS and calling "ods-ksmutil key ds-seen ....".
We're rolling out a similar thing at SURFnet, which could be an alternative
to this script, at least for some users. Our thing automates all stages from
DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up).
I'll write a posting about that on our blog https://dnssec.surfnet.nl/
in a while. After my head stops spinning from flue :-S
> Warning 1: This may be a stupid idea. It could be argued that human validation of this step is a good thing. Do not use this script if you do not completely understand what it does.
The real harm would have been done then I think? If you want to check
manually, it ought to be done when rolling your DNSKEY and/or DS uphill
(to the parent). When it starts rolling down on the other side of the
hilltop it's probably too late to stop?
> Warning 2: This script has not been properly tested. Do not use it in a production environment.
Ah, you're looking for $\alpha$ testers ;-)
> I'm looking for opinions on if this is a useful solution or accident waiting to happen.
Did you like the interface of OpenDNSSEC? I didn't like that it refused
to silently ignore repeated ds-seen due to a script that somehow missed
a previous ds-seen.
More information about the Opendnssec-user