automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

PGNet Dev
i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3.

the new policy does a nice job of streamlining the signing/key mgmt.

after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar

i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API.

as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there
an external hook mechanism to external scripts that can handle the task.

offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone.

then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS.

rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this.



has anyone here done this effectively already, with a script/solution that can be shared?

are there any plans in place, or existing dev discussion, to address this within bind itself?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

Mark Andrews
This is where we need to get the registrars to follow standards.  They are written
so everyone doesn’t have to cobble together ad-hoc solutions.  Hourly scans of all
the DNSSEC delegations by the registrars would do.

Personally I prefer push solutions but I couldn’t get the IETF to agree.
https://tools.ietf.org/html/draft-andrews-dnsop-update-parent-zones-04

Mark

> On 27 May 2020, at 01:56, PGNet Dev <[hidden email]> wrote:
>
> i'm migrating/implementing the new `dnssec-policy` usage & KASP workflow in my bind 9.16.3.
>
> the new policy does a nice job of streamlining the signing/key mgmt.
>
> after key generation/rotation, the 'last step' is submitting new/changed DS Records to the relevant registrar
>
> i'd like to automate the process of submitting generated DS Records to the registrar/parent using a capable registrar's DNSSEC API.
>
> as i understand, there is neither any mechanism in Bind for automating the DS Record submit, nor is there
> an external hook mechanism to external scripts that can handle the task.
>
> offline, it's been suggested to me that with the current version of bind, a 'best' approach would be to write a simple script that checks for the existence of the CDS/CDNSKEY RRset in each signed zone.
>
> then, when a new record is added, trigger a submission of the DS to the parent. and, similarly, when a record is removed, trigger a withdrawal of the DS.
>
> rather than re-inventing the wheel ... i'm guessing i'm not the only one who'd like to automate this.
>
>
>
> has anyone here done this effectively already, with a script/solution that can be shared?
>
> are there any plans in place, or existing dev discussion, to address this within bind itself?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

PGNet Dev
On 5/26/20 4:50 PM, Mark Andrews wrote:
> This is where we need to get the registrars to follow standards.  They are written
> so everyone doesn’t have to cobble together ad-hoc solutions.  Hourly scans of all
> the DNSSEC delegations by the registrars would do.
>
> push solutions

sounds reasonable. at very least, better than nothing.

in the absence of a standards-based solution, any options for hooks in bind to external scripts, even if ad-hoc?

e.g., "if when change in DS Record in local bind, then fire this external script which will manage the DS submit/withdraw via API to registrar"

a completely de-coupled solution, independent of bind itself, is doable -- but again, ad-hoc, and seems a step backwards given the nice progress with dnssec-policy/kasp simplifications in recent versions.

if that's all there is, know of any existing, proven ad-hoc solutions?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

Ondřej Surý
Please submit a feature request to our GitLab instance. I can’t guarantee that we will get to it in the timeframe you need, but the mails tend to get lost.

Ondrej
--
Ondřej Surý — ISC

> On 27 May 2020, at 19:35, PGNet Dev <[hidden email]> wrote:
>
> On 5/26/20 4:50 PM, Mark Andrews wrote:
>> This is where we need to get the registrars to follow standards.  They are written
>> so everyone doesn’t have to cobble together ad-hoc solutions.  Hourly scans of all
>> the DNSSEC delegations by the registrars would do.
>>
>> push solutions
>
> sounds reasonable. at very least, better than nothing.
>
> in the absence of a standards-based solution, any options for hooks in bind to external scripts, even if ad-hoc?
>
> e.g., "if when change in DS Record in local bind, then fire this external script which will manage the DS submit/withdraw via API to registrar"
>
> a completely de-coupled solution, independent of bind itself, is doable -- but again, ad-hoc, and seems a step backwards given the nice progress with dnssec-policy/kasp simplifications in recent versions.
>
> if that's all there is, know of any existing, proven ad-hoc solutions?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: automating DS Record submit to parent with 'new' kasp/dnssec-policy support in bind?

PGNet Dev
On 5/27/20 11:56 AM, Ondřej Surý wrote:
> Please submit a feature request to our GitLab instance.
https://gitlab.isc.org/isc-projects/bind9/-/issues/1890




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users