Discussion:
[Opendnssec-user] Is there script for checking if DS is in TLD
Bas van den Dikkenberg
2014-08-28 14:29:31 UTC
Permalink
Hi,

Does anyone have script to check if the DS records are published at the TLD , and if so do a ds-seen .
I want to automate the ds-seen process


With kind regards,


Bas van den Dikkenberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140828/ee278e3a/attachment.html
Volker Janzen
2014-08-30 13:26:50 UTC
Permalink
Hi Bas,

I'm using a script from Casper Gielen for this purpose.

One problem in general might be to know when your TLD nameservers have actually published it on every nameserver, in case of anycast, because you can't query all instances due to the nature of anycast.

If you're intrested in this script, drop me a private mail. The script is GPL licenced.


Regards,
Volker
Post by Bas van den Dikkenberg
Hi,
Does anyone have script to check if the DS records are published at the TLD , and if so do a ds-seen .
I want to automate the ds-seen process
With kind regards,
Bas van den Dikkenberg
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140830/27a0d36c/attachment.html
Casper Gielen
2014-09-02 20:10:47 UTC
Permalink
Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
Url : http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140902/ff4334de/signature.bin
Casper Gielen
2016-03-08 13:31:14 UTC
Permalink
Post by Volker Janzen
Hi Bas,
I'm using a script from Casper Gielen for this purpose.
Am 28.08.2014 um 10:29 schrieb Bas van den Dikkenberg
Post by Bas van den Dikkenberg
Does anyone have script to check if the DS records are published at
the TLD , and if so do a ds-seen .
I want to automate the ds-seen process
By request I've published this script (and a few others) on
https://github.com/CAPSLOCK2000/ods-scripts

Warning: These scripts were not designed for general consumpution, there
might be a few assumptions in there that need to changed to reflect your
own environment. Please don't use them if you are not comfortable with
fixing Bash-scripts.
--
Casper Gielen <***@uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
Havard Eidnes
2016-03-08 15:35:28 UTC
Permalink
Post by Volker Janzen
Am 28.08.2014 um 10:29 schrieb Bas van den Dikkenberg
Post by Bas van den Dikkenberg
Does anyone have script to check if the DS records are published at
the TLD, and if so do a ds-seen.
I want to automate the ds-seen process
And to add some diversity:

The attached perl script is what we use to check if a given
zone's DS record has been published by all the name servers for
the parent zone. It automatically figures out itself what the
parent zone is, it does not have to be a TLD.

This script must be run on the OpenDNSSEC host and the user
running it must have sufficient permissions to do "ods-ksmutil
key export".

This is then used in a wrapper script (not supplied here, could
be sent after some minor cleanup) which lists KSKs which are in a
different state than "active" and warns of any required actions
(publishing DS records e.g.).

Regards,

- HÃ¥vard
Rick van Rein
2016-03-09 15:10:33 UTC
Permalink
Hello Bas,
Post by Bas van den Dikkenberg
Does anyone have script to check if the DS records are published at
the TLD , and if so do a ds-seen .
I want to automate the ds-seen process
Yes, we do:

https://dnssec.surfnet.nl/?p=808

Although the link to the parent (for uploading DNSKEY and/or DS RRs) is
not included (it is specific to your parent's EPP deployment after all)
the difficult bits are all covered in this code: querying the right
NS's, taking care of TTL expiration times in caches and so on.

This code has run for a few years at SURFnet for hundreds of domains,
and shown to be very, very robust. We've had various problems with our
infrastructure, but never with this code. We've had it complain on NS
downtime, and found it was an unmonitored defect in our parent zone's
IPv4/IPv6 mixed presence. But I should also add to that that removal of
zones is not yet automated at SURFnet.


Ciao,
-Rick

Loading...