[Opendnssec-user] automated DS management when child and parent on the same system

Roland van Rijswijk - Deij roland.vanrijswijk at surfnet.nl
Fri Sep 2 07:41:21 UTC 2016

Hi Emil,

Benno Overeinder wrote:
>> On 21/07/16 1:02 AM, Emil Natan wrote:
>>> Hello,
>> Hi Emil,
>>> Was automated DS management ever considered in the scenario when both
>>> child and parent are managed on the same system? What I mean is DS for
>>> the child domain to be automatically published and signed in the parent
>>> and replaced when KSK rollover is performed for the child domain.
>> That's not part of the OpenDNSSEC features, but it can be done. We have
>> 10+ children zone and their corresponding parent signed with DNSSEC
>> using ODS and with some scripting magic we managed to securely transfer
>> the DS records for the children into the parent, making the KSK
>> rollovers automatic.
> Thank you Sebastian and Emil to bring this item up.
> Automated DS management such as described in RFC 7344 is on our roadmap of OpenDNSSEC 2.x (probably 2.2 or 2.3).
> Input like yours on operational scenarios are most welcome.  This helps us defining next releases and priorities for the OpenDNSSEC roadmap.

We have scripted this for our environment (scripts in Python), if you're
interested, we'd be more than happy to share our code with you. I've
copied in Rick van Rein who is the main author of that code.



-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-user mailing list