Discussion:
[Opendnssec-user] automated DS management when child and parent on the same system
Emil Natan
2016-07-20 13:02:52 UTC
Permalink
Hello,

Was automated DS management ever considered in the scenario when both child
and parent are managed on the same system? What I mean is DS for the child
domain to be automatically published and signed in the parent and replaced
when KSK rollover is performed for the child domain.
Thank you.

Emil
Sebastian Castro
2016-07-20 20:43:43 UTC
Permalink
Post by Emil Natan
Hello,
Hi Emil,
Post by Emil Natan
Was automated DS management ever considered in the scenario when both
child and parent are managed on the same system? What I mean is DS for
the child domain to be automatically published and signed in the parent
and replaced when KSK rollover is performed for the child domain.
That's not part of the OpenDNSSEC features, but it can be done. We have
10+ children zone and their corresponding parent signed with DNSSEC
using ODS and with some scripting magic we managed to securely transfer
the DS records for the children into the parent, making the KSK
rollovers automatic.

Cheers,
Post by Emil Natan
Thank you.
Emil
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
Sebastian Castro
Technical Research Manager
NZRS Ltd.
desk: +64 4 495 2337
mobile: +64 21 400535
Benno Overeinder
2016-07-30 12:37:18 UTC
Permalink
Hi all,
Post by Sebastian Castro
Post by Emil Natan
Hello,
Hi Emil,
Post by Emil Natan
Was automated DS management ever considered in the scenario when both
child and parent are managed on the same system? What I mean is DS for
the child domain to be automatically published and signed in the parent
and replaced when KSK rollover is performed for the child domain.
That's not part of the OpenDNSSEC features, but it can be done. We have
10+ children zone and their corresponding parent signed with DNSSEC
using ODS and with some scripting magic we managed to securely transfer
the DS records for the children into the parent, making the KSK
rollovers automatic.
Thank you Sebastian and Emil to bring this item up.

Automated DS management such as described in RFC 7344 is on our roadmap of OpenDNSSEC 2.x (probably 2.2 or 2.3).

Input like yours on operational scenarios are most welcome. This helps us defining next releases and priorities for the OpenDNSSEC roadmap.

Best regards,

— Benno
--
Benno J. Overeinder
NLnet Labs
http://www.nlnetlabs.nl/
Roland van Rijswijk - Deij
2016-09-02 07:41:21 UTC
Permalink
Hi Emil,
Post by Benno Overeinder
Post by Sebastian Castro
Post by Emil Natan
Hello,
Hi Emil,
Post by Emil Natan
Was automated DS management ever considered in the scenario when both
child and parent are managed on the same system? What I mean is DS for
the child domain to be automatically published and signed in the parent
and replaced when KSK rollover is performed for the child domain.
That's not part of the OpenDNSSEC features, but it can be done. We have
10+ children zone and their corresponding parent signed with DNSSEC
using ODS and with some scripting magic we managed to securely transfer
the DS records for the children into the parent, making the KSK
rollovers automatic.
Thank you Sebastian and Emil to bring this item up.
Automated DS management such as described in RFC 7344 is on our roadmap of OpenDNSSEC 2.x (probably 2.2 or 2.3).
Input like yours on operational scenarios are most welcome. This helps us defining next releases and priorities for the OpenDNSSEC roadmap.
We have scripted this for our environment (scripts in Python), if you're
interested, we'd be more than happy to share our code with you. I've
copied in Rick van Rein who is the main author of that code.

Cheers,

Roland
--
-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet
-- e: ***@surfnet.nl
Rick van Rein
2016-09-02 17:44:45 UTC
Permalink
Hi Emil et al,
Post by Roland van Rijswijk - Deij
We have scripted this for our environment (scripts in Python), if you're
interested, we'd be more than happy to share our code with you. I've
copied in Rick van Rein who is the main author of that code.
We've already posted the code on our blog, at

https://blog.surf.nl/en/reaching-out-to-the-parent-zone/

This doesn't include CDS support yet, and will let you build a bit of
code to link up to your TLD or TLDs, but other than that it is fairly
generic and, as we've found in a few years of use in a dynamic research
environment, it is *extremely* solid code :)

Spoiler/alert: We're working on a remote-procedure-call environment
(among others usable over HTTP POST) that will interact with this code.
For that to work, a few changes will be made to this code, but nothing
too far-fetched.

I hope you like it! You're welcome to share problems that you might
experience setting it up. We don't formally support it, but it never
hurts to ask an informed question from which we might learn :)


Enjoy,
-Rick

Loading...