Logging of CDS/CDNSKEY generation for workflow
During the DNSSEC webinar, a user asked whether there are plans to automate the transfer of DNSKEY from child to parent.
Matthijs responded that there are no plans yet for a parent zone in BIND to poll for CDS/CDNSKEY records in the child zone.
The OP says:
I can see where automate transfers to a registrar would be tricky but my question arises from needing to update DSKEYs from zone admins that I have delegated out. My thoughts are that if I trust my delegations they should be able to update automatically.
Would it be possible to log CDS/CDNSKEY generation in such a way as that a "simple" workflow can be implemented in order to create tooling which reacts on the log and performs a dynamic update on a parent zone.
Whenever a CDS/CDNSKEY is published in a child zone, BIND could create a log record indicating for which zone this has occurred.