[Opendnssec-user] Sub zones in opendnssec and DS keys

Bas van den Dikkenberg bas at Dikkenberg.net
Sun Aug 31 21:58:26 UTC 2014


Thanks,

I made some scripting around this isue, I drop all DS records for that subdomain in zone file and add all new DS records.

And from this we we auto update the DS records to our TLS's  where possible, where not we send an internal GPG signed mail to update the key.


With kind regards,


Bas


-----Oorspronkelijk bericht-----
Van: opendnssec-user-bounces at lists.opendnssec.org [mailto:opendnssec-user-bounces at lists.opendnssec.org] Namens Sebastian Castro
Verzonden: zondag 31 augustus 2014 23:17
Aan: opendnssec-user at lists.opendnssec.org
Onderwerp: Re: [Opendnssec-user] Sub zones in opendnssec and DS keys



On 30/08/14 4:09 am, Matthijs Mekking wrote:
> Hi Bas,
> 
> On 08/29/2014 02:24 PM, Bas van den Dikkenberg wrote:
>> Hi all,
>>
>>  
>>
>> I have 2 domain in my zone list of OpenDNSSEC, Test.domain.nl and domain.nl.
>>
>>  
>>
>> Test.domain.nl has to publish his DS records to domain.nl, does 
>> OpenDNSSEC do this automatically ?
>>
>>  
>>
>> If not can OpenDNSSEC do this automatically ?
> 
> Unfortunately not at this moment.
> 
>> If not is there a good workaround for this ?
> 
> I don't know if there are users on the list who have experimented with 
> this, but I guess you can make use of the following element in conf.xml:
> 
>     <DelegationSignerSubmitCommand/>
> 
> To configure the a program/script receiving the new KSK during a key 
> rollover. In your script, you could distinguish different executions 
> for domain.nl and test.domain.nl.

We do, although we don't do KSK rollover automatically because we need to interact with IANA to complete the .nz rollover. Our script takes the new KSK, generates DS records, and send it by email to an internal address signed by PGP, which later is evaluated by a human and acted upon.

> 
> I can imagine that you want to concatenate the DS to the unsigned zone 
> file domain.nl, issue ods-signer sign domain.nl, wait a bit to let the 
> change propagate to your name servers and do a ds-seen for 
> test.domain.nl
> 
> Hope these hints help.
> 
> Best regards,
>  Matthijs
> 

Cheers,
--
Sebastian Castro
Technical Research Manager
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user



More information about the Opendnssec-user mailing list