Project

General

Profile

Bug #720

Bind9 KASP Migration Problems

Added by Marc Dequènes 14 days ago. Updated 13 days ago.

Status:
New
Priority:
Low
Category:
Service :: DNS
Start date:
2018-05-07
Due date:
% Done:

0%

Estimated time:
(Total: 0:00 h)
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:

Description

This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`.

We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking): Tickets to keep track of: Features we really need:
  • publishing of CDS/CDNSKEY handled by KASP
  • automate using published CDS/CDNSKEY in parent zones we manage created support with a crontab in the bind9 role
  • notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream
  • automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar
  • rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine)

Subtasks

Enhancement #623: Use Gandi API to automate DNSSEC KSK rolloverNew

Actions

History

#1

Updated by Marc Dequènes 14 days ago

  • Description updated (diff)

Also available in: Atom PDF