Volker,
----- Original Message -----
From: "Volker Janzen" <voja(a)voja.de>
To: "knot-dns-users" <knot-dns-users(a)lists.nic.cz>
Sent: Saturday, 22 October, 2016 14:20:29
Subject: Re: [knot-dns-users] knot 2.3.0-3: Automatic DNSSEC signing: Current limitations
and creating trusted-keys {
... }
Hi,
Yes, the KSK will not change. We have plans to
support KSK rollover,
but it have to be either manually triggered, or configured first
(in case we also implement some kind of automated DS upload).
any plans about the automated upload? Perhaps make a script call and pass data
via stdin?
No definitive "plans" yet, but this is certainly something we will
consider when designing the automated KSK rollover.
Please keep in mind, that you must be able to choose
DNSKEY upload too, as of
there are registries / registrars that require DNSKEY instead of DS.
Sure, CZ.NIC (.CZ) is one of those registries that require DNSKEY.
If you implement this kind of upload I'm going to
test it and provide a script
that can be used with the API of one registrar (that will require DNSKEY btw).
Thanks, we will provide a design document before we start working
on this to the community and we would welcome your comments on it.
This won't happen till next year though, our TODO list is quite
full.
Cheers,
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz
https://nic.cz/
--------------------------------------------