GitLab

The only standard way to know what a zone's DS records should be is to look at its CDS/CDNSKEY records. There are software-specific ways that inspect the signer's key store. And by itself the DNSKEY RRset is not enough during a rollover.

This patch series adds support for child-side DS management, for use by delegation update scripts, such as registrar API clients.

These scripts can use dnssec-dsfromkey -k -f to get the expected DS records from a zonefile (or just the DNSKEY, CDNSKEY, and CDS records) without having to reimplement the logic themselves (e.g. skipping revoked keys, skipping SHA-1, etc.)

And dnssec-checkds uses this new mode to correctly check consistency during rollovers.