DNSSEC specific record types
See original GitHub issueGreat project!
The specific use case I’m looking at now is managing zones via DNSimple. All of our domains are DNSSEC, so we have DNSKEY records. (AttributeError: 'DnsimpleProvider' object has no attribute '_data_for_DNSKEY'
) Normally this would be a straight multiple record type to implement. The concern that comes up on writing the PR for the record type is that this is not always something generated by the clients, and DNSimple rotates the records themselves on schedule. The APIv2 documentation shows that the record can be put by the client in addition to DNSimple’s record generation. Tends to break any kind of idempotent scheme. That requires an update at the domain Registrar. I’m sure someone has come up against this previously, but I didn’t see an issue referencing DNSSEC in my search.
Issue Analytics
- State:
- Created 6 years ago
- Comments:8 (3 by maintainers)
Top GitHub Comments
Hi @dschaper not sure how common DNSSEC use is for people looking at octoDNS, but it’s not a case that has specifically been explored. Based on your description the best option may be for octoDNS to ignore DNSKEY records in cases where the provider is managing things.
For
DnsimpleProvider
that’d probably be as easy as changing theif _type == 'SOA':
line toif _type not in self.SUPPORTS
, which is a bit more robust way to go about skipping unsupported records.It’s likely that a full pass of DNSSEC support would be nice to do at some point, but looking around DNS provider support for it is still pretty lacking so that point may not be yet, at least I probably won’t have the time to dig into it soon 😁
Did a bit more digging a while back and I’m going to call this one not feasible. As far as I could find there are no commercial providers that let you provide the signing info and thus there’s no real way to have multiple providers signing identically. It did not appear to be possible to provide both providers signing info so that either’s signing would be allowed, though it’s possible I missed something there.