At the end of his talk at the RIPE meeting this morning, Ondřej Caletka
mentioned his work on automated updates to DNSSEC delegations using CDS
records:
https://ripe77.ripe.net/programme/meeting-plan/dns-wg/
I commented at the mic to say that this is something I am very keen on. I
wrote `dnssec-cds` (an implementation of RFC7344 and section 4 of RFC8078)
to help improve DNSSEC automation, and it is included in BIND 9.12 and
later.
https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/man.dnssec-cds.html
Ondřej's setup uses a special `mntner` with RIPE database API access to
indicate which zones should have their DS records updated automatically.
This is a nice way to control permissions when the update process is
running outside the RIPE database, but I expect it can be made neater if
it is integrated more closely.
I would like to help get RFC 7344 support into the RIPE database, so what
do we need to do next to make it happen?
Tony.
--
f.anthony.n.finch <dot(a)dotat.at> http://dotat.at/
Hebrides, Bailey: Westerly backing southerly later, 5 to 7, occasionally
gale 8 at first in north Bailey. Rough or very rough, occasionally high at
first in north Bailey. Showers, rain later. Good, occasionally moderate.