Skip to content

automation of DS Record submit to registrar/parent, integrated with 'new' kasp/dnssec-policy support in bind

Description

i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3.

the new policy does a nice job of streamlining the signing/key mgmt.

after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar

i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API.

as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there
an external hook mechanism to external scripts that can handle the task.

offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone.

then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS.

rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this.

Request

an additional response on ML

	> This is where we need to get the registrars to follow standards.  They are written
	> so everyone doesn’t have to cobble together ad-hoc solutions.  Hourly scans of all
	> the DNSSEC delegations by the registrars would do.
	> 
	> Personally I prefer push solutions but I couldn’t get the IETF to agree.
	> https://tools.ietf.org/html/draft-andrews-dnsop-update-parent-zones-04


sounds reasonable. at very least, better than nothing.

in the absence of a standards-based solution, integrated in bind's dnssec-policy/kasp feature set, an option for script/execution hooks in bind to external scripts, would be a good 1st step, even if ad-hoc

e.g., "if when change in DS Record in local bind, then fire this external script which will manage the DS submit/withdraw via API to registrar"

failing any/all of that^, a well documented example of a completely de-coupled solution, independent of bind itself, ideally registrar/API agnostic, but demonstrated to work, would be useful.
that's of course doable -- but again, ad-hoc, and seems a step backwards given the nice progress with dnssec-policy/kasp simplifications in recent versions.

Links / references

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information