[Opendnssec-user] ods-dsseen: automatic activation of DNSKEYS
mje at posix.co.za
Thu Feb 21 20:05:47 UTC 2013
Been playing with OpenDNSSEC a bit - and I was wondering whether there
should not be triggers that the signing Engine can call when events
For example - OpenDNSSEC can call RNDC when needed..
One could continuously examine the logfile .... but thats ugly.
On Thu, 2013-02-21 at 18:02 +0000, Rick van Rein wrote:
> Hi Casper,
> Cool :)
> > I've written a little script that checks if a DS is available from DNS and, if so, automatically issues the ds-seen command. It's a replacement for manually checking the DS and calling "ods-ksmutil key ds-seen ....".
> We're rolling out a similar thing at SURFnet, which could be an alternative
> to this script, at least for some users. Our thing automates all stages from
> DNSKEY publication by ods-signer to ds-seen (and ds-unseen for 2.0 up).
> I'll write a posting about that on our blog https://dnssec.surfnet.nl/
> in a while. After my head stops spinning from flue :-S
> > Warning 1: This may be a stupid idea. It could be argued that human validation of this step is a good thing. Do not use this script if you do not completely understand what it does.
> The real harm would have been done then I think? If you want to check
> manually, it ought to be done when rolling your DNSKEY and/or DS uphill
> (to the parent). When it starts rolling down on the other side of the
> hilltop it's probably too late to stop?
> > Warning 2: This script has not been properly tested. Do not use it in a production environment.
> Ah, you're looking for $\alpha$ testers ;-)
> > I'm looking for opinions on if this is a useful solution or accident waiting to happen.
> Did you like the interface of OpenDNSSEC? I didn't like that it refused
> to silently ignore repeated ds-seen due to a script that somehow missed
> a previous ds-seen.
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6147 bytes
Desc: not available
More information about the Opendnssec-user