Thanks for getting back to me on this one!

On 09.04.24 5:26 AM, Michael Johnson wrote:

I definitely think we should consider enhancing Designate to support
DNSSEC. Bump-in-the-wire may be an interim solution, but I think we
should pursue a native solution.

Good point to discuss. Maybe there are also existing libraries (e.g. https://www.dnspython.org/)
that could be leveraged? Otherwise using an existing and proven DNS server software to do the signing is no crime.
Dealing with key creation, rollover and storage is plenty to do and implementing all of the DNSSEC
workflows and staying current with them does create the requirement to keep up.

Unfortunately there seems to be no standard API like there is with Catalog Zones to integrate bump in the wire signers.
So implementation specific API calls are necessary, creating somewhat of a mess in itself again.

Native support would immediately enable all secondaries to receive signed zones and also avoid all those orchestration and synchronization issues that come with provisioning the bump in the wire signer for each zone.
Also it avoids the single point of failure that again has the be mitigated.

This topic is on our PTG etherpad. We definitely can cover both
topics. What time during our session works best for you?

Can we do DNSSEC 15:00 UTC (so 17:00 CEST for me)?
I suppose you are doing Meetpad for conferencing? So URL https://meetpad.opendev.org/apr2024-ptg-designate ?



Thanks again,
Regards


Christian