This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] automatic DS record updates in the RIPE database

Previous message (by thread): [dns-wg] RFC 7344 support in the RIPE database

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Petr Špaček petr.spacek at nic.cz
Thu Nov 29 17:36:23 CET 2018

On 17. 10. 18 16:51, Tony Finch wrote:
> At the end of his talk at the RIPE meeting this morning, Ondřej Caletka
> mentioned his work on automated updates to DNSSEC delegations using CDS
> records:
> 
> https://ripe77.ripe.net/programme/meeting-plan/dns-wg/
> 
> I commented at the mic to say that this is something I am very keen on. I
> wrote `dnssec-cds` (an implementation of RFC7344 and section 4 of RFC8078)
> to help improve DNSSEC automation, and it is included in BIND 9.12 and
> later.
> 
> https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/man.dnssec-cds.html
> 
> Ondřej's setup uses a special `mntner` with RIPE database API access to
> indicate which zones should have their DS records updated automatically.
> This is a nice way to control permissions when the update process is
> running outside the RIPE database, but I expect it can be made neater if
> it is integrated more closely.
> 
> I would like to help get RFC 7344 support into the RIPE database, so what
> do we need to do next to make it happen?

BTW scanner tool (for registry side) is available from
https://github.com/CZ-NIC/fred-cdnskey-scanner

-- 
Petr Špaček  @  CZ.NIC

Previous message (by thread): [dns-wg] RFC 7344 support in the RIPE database

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]