[Opendnssec-user] ods-dsseen: automatic activation of DNSKEYS

Mark Elkins mje at posix.co.za
Thu Feb 21 20:05:47 UTC 2013


Been playing with OpenDNSSEC a bit - and I was wondering whether there
should not be triggers that the signing Engine can call when events
happen.
For example - OpenDNSSEC can call RNDC when needed..

One could continuously examine the logfile .... but thats ugly.


On Thu, 2013-02-21 at 18:02 +0000, Rick van Rein wrote:
> Hi Casper,
> 
> Cool :)
> 
> > I've written a little script that checks if a DS is available from DNS and, if so, automatically issues the ds-seen command. It's a replacement for manually checking the DS and calling "ods-ksmutil key ds-seen ....".
> 
> We're rolling out a similar thing at SURFnet, which could be an alternative
> to this script, at least for some users.  Our thing automates all stages from
> DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up).
> 
> I'll write a posting about that on our blog https://dnssec.surfnet.nl/
> in a while.  After my head stops spinning from flue :-S
> 
> > Warning 1: This may be a stupid idea. It could be argued that human validation of this step is a good thing. Do not use this script if you do not completely understand what it does.
> 
> The real harm would have been done then I think?  If you want to check
> manually, it ought to be done when rolling your DNSKEY and/or DS uphill
> (to the parent).  When it starts rolling down on the other side of the
> hilltop it's probably too late to stop?
> 
> > Warning 2: This script has not been properly tested. Do not use it in a production environment.
> 
> Ah, you're looking for $\alpha$ testers ;-)
> 
> > I'm looking for opinions on if this is a useful solution or accident waiting to happen.
> 
> Did you like the interface of OpenDNSSEC?  I didn't like that it refused
> to silently ignore repeated ds-seen due to a script that somehow missed
> a previous ds-seen.
> 
> 
> Cheers,
>  -Rick
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6147 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130221/b3578c2e/attachment.bin>


More information about the Opendnssec-user mailing list