On 17. 10. 18 16:51, Tony Finch wrote:
At the end of his talk at the RIPE meeting this morning, Ondřej Caletka mentioned his work on automated updates to DNSSEC delegations using CDS records:
https://ripe77.ripe.net/programme/meeting-plan/dns-wg/
I commented at the mic to say that this is something I am very keen on. I wrote `dnssec-cds` (an implementation of RFC7344 and section 4 of RFC8078) to help improve DNSSEC automation, and it is included in BIND 9.12 and later.
https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/man.dnssec-cds.html
Ondřej's setup uses a special `mntner` with RIPE database API access to indicate which zones should have their DS records updated automatically. This is a nice way to control permissions when the update process is running outside the RIPE database, but I expect it can be made neater if it is integrated more closely.
I would like to help get RFC 7344 support into the RIPE database, so what do we need to do next to make it happen?
BTW scanner tool (for registry side) is available from https://github.com/CZ-NIC/fred-cdnskey-scanner -- Petr Špaček @ CZ.NIC