Hello, I'm trying to (mostly) automate my DNSSEC key rollovers. ZSK was relatively easy, the issue I am having with automating the KSK has to do with verifying the DS info from the new key has been uploaded by the zone administrator before I stop signing with the old KSK. I have been trying to figure out how to get dig or another utility to check whether or not the DS information from the new key has been uploaded to the registrar but I'm at a loss. Anyone know how to check whether or not the DS information from a given key is live and in the DNS system? Thanks for any help, Michael
On Thu, 9 Apr 2015, Michael A. Peters wrote:> I have been trying to figure out how to get dig or another utility to check > whether or not the DS information from the new key has been uploaded to the > registrar but I'm at a loss. > > Anyone know how to check whether or not the DS information from a given key > is live and in the DNS system?[root at ns0 nsd]# grep DNSKEY /var/opendnssec/signed/nohats.ca |grep 257 >/tmp/mykey [root at ns0 nsd]# ldns-key2ds /tmp/mykey Knohats.ca.+008+01321 [root at ns0 nsd]# cat Knohats.ca.+008+01321.ds nohats.ca. 3600 IN DS 1321 8 2 b7890a1e7b4ce1d671795d5fd46a71f229c58025587bec4eeb70ccda9233011c [root at ns0 nsd]# dig +short ds nohats.ca 1321 8 2 B7890A1E7B4CE1D671795D5FD46A71F229C58025587BEC4EEB70CCDA 9233011C Someone should fix ldns-key2ds to take stdin :) Paul