08-18-2016 06:21 AM
In the process of implementing DNSSEC on 500+ Zones in NIOS 7.2.5. I can sign multiple Zones at a time, but must export the DS record one Zone at a time. A very tideous process. What have others done in similiar situations? Is the KSK rollover process going to be as tedious? Thanks.
08-18-2016 11:58 AM
I think we need a little more info before anyone can give you a good answer I think.
Can you tell us if the is a parent/child zone releationship to these 500 zones?
If there is a child zone, is the child on the same Infoblox Grid or is it delegated out somewhere else?
08-18-2016 12:23 PM
You can use the WAPI to get all the DNSSEC zones within a rollover window using "dnssec_ksk_rollover > = ..."
That will export the public keys.
08-18-2016 12:34 PM
I was just writing that it looks like the API is the only way to do this in a sane manor for that many zones but GHorne beat me to it .
As far as the question about ksk rolling goes, that should be handled with caution. Much of it depends on the registrar's support, they may or may not have an automated way to tell when you are rolling your KSKs and sign the new KSK (DS). I see you can set automaitc rolling for the KSK using the API, but I don't see a manual way to initiate the KSK roll via the API.
08-18-2016 12:43 PM
Are there any Infoblox customers in this community that can share their experiences in implementing a large database of parent Zones to DNSSEC?