[dns-wg] automatic DS record updates in the RIPE database
Tony Finch dot at dotat.at
Wed Oct 17 16:51:27 CEST 2018
At the end of his talk at the RIPE meeting this morning, Ondřej Caletka mentioned his work on automated updates to DNSSEC delegations using CDS records: https://ripe77.ripe.net/programme/meeting-plan/dns-wg/ I commented at the mic to say that this is something I am very keen on. I wrote `dnssec-cds` (an implementation of RFC7344 and section 4 of RFC8078) to help improve DNSSEC automation, and it is included in BIND 9.12 and later. https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/man.dnssec-cds.html Ondřej's setup uses a special `mntner` with RIPE database API access to indicate which zones should have their DS records updated automatically. This is a nice way to control permissions when the update process is running outside the RIPE database, but I expect it can be made neater if it is integrated more closely. I would like to help get RFC 7344 support into the RIPE database, so what do we need to do next to make it happen? Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/ Hebrides, Bailey: Westerly backing southerly later, 5 to 7, occasionally gale 8 at first in north Bailey. Rough or very rough, occasionally high at first in north Bailey. Showers, rain later. Good, occasionally moderate.
[ dns-wg Archives ]