auto-insert child DS records into parent zones when both are being mastered locally and having DNSSEC maintained by BIND
Coming from an ops ticket: On Thu Mar 15 07:28:34 2018, email@example.com wrote: [...]
There is a DS for 57.20.149.in-addr.arpa. at 20.149.in-addr-arpa., but 57.20.149.in-addr.arpa. is not signed: [...] Thus, everything beneath 57.20.149.in-addr.arpa. is currently bogus.
On Thu Mar 15 08:34:28 2018, dmahoney wrote: [...]
I should note that we're still dependent on old-ass perl scripts because BIND still lacks the ability to auto-insert child DS records into parent zones when both are managed by BIND. This is the missing link in all the key-management magic we keep offering up.
Create the missing link.
I should think that it would even be possible if the child zone is a secondary but with inline signing.
I'm less certain, but wonder if it might be permissible even if the parent is secondary but with inline signing.