[Opendnssec-user] Is there script for checking if DS is in TLD
Rick van Rein
rick at openfortress.nl
Wed Mar 9 15:10:33 UTC 2016
Hello Bas,
> Does anyone have script to check if the DS records are published at
> the TLD , and if so do a ds-seen .
> I want to automate the ds-seen process
>
Yes, we do:
https://dnssec.surfnet.nl/?p=808
Although the link to the parent (for uploading DNSKEY and/or DS RRs) is
not included (it is specific to your parent's EPP deployment after all)
the difficult bits are all covered in this code: querying the right
NS's, taking care of TTL expiration times in caches and so on.
This code has run for a few years at SURFnet for hundreds of domains,
and shown to be very, very robust. We've had various problems with our
infrastructure, but never with this code. We've had it complain on NS
downtime, and found it was an unmonitored defect in our parent zone's
IPv4/IPv6 mixed presence. But I should also add to that that removal of
zones is not yet automated at SURFnet.
Ciao,
-Rick
More information about the Opendnssec-user
mailing list