and the following for the child side should work. If you are only interested
in DS algorithm 2 check that $6 == 2 (&& $6 == 2) when selecting DS and CDS records from the
stream. Again untested.
while read zone garbage
do
( echo "ds -q $zone"; echo "cds -q $zone"; ) |
dig +noall +answer +nottl -f - |
tr '[A-Z]' '[a-z]' |
sort |
awk 'BEGIN { last = "" ; cds=""; ds="" }
$3 == "cds" {
if ($1 != last) {
if (last != "" && cds == ds) {
print "rndc dnssec -checkds published", last
}
if (last != "" && ds == "" && match(cds, "0 0 00")) {
print "rndc dnssec -checkds withdrawn", last
}
last=$1; cds=""; ds=""
}
csd=cds " " $0
}
$3 == "ds" {
ds=ds " " $0
}
END {
if (last != "" && cds == ds) {
print "rndc --checkds published", last
}
if (last != "" && ds == "" && match(cds, "0 0 00")) {
print "rndc dnssec -checkds withdrawn", last
}
}'
done
Post by Tony FinchPost by Matthijs MekkingPost by Bob HaroldIf BIND holds both the child and parent zone, will it add the DS record
at the correct time? Or do I still need to write scripts to update the
DS records in all my sub-zones? And is there some signal from BIND at
the time the DS record should be written, or do i need to calculate the
right time?
Currently you still have to write scripts to update DS records in all
your parent zones.
The CDS/CDNSKEY records are published in the child zones that indicate
the DS should be published, so I would script against that.
Then when the DS is seen in the parent, call the rndc dnssec -checkds
published/withdrawn command.
dnssec-cds can tell you what the parental DS record(s) should be. It
can maintain a dsset file for each child zone that you can $INCLUDE in the
parent. It's fairly bare so it needs to be wrapped with a script that does
the necessary queries and updates.
I don't know if the dnssec-policy stuff includes timing parameters or
checks to protect against parental publication delays; if not then the
wrapper script will have to keep track of time or poll the parent servers
or something.
Tony.
--
Fair Isle: South 3 to 5, occasionally 6 later. Slight or moderate,
becoming rough later in west. Fair. Good.
Seeing that I still need some scripting, does anyone already have scripts that work?
--
Bob Harold
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users