DNSSEC KSK Rollover

Hello,

I'm trying to (mostly) automate my DNSSEC key rollovers.

ZSK was relatively easy, the issue I am having with automating the KSK has to do with verifying the DS info from the new key has been uploaded by the zone administrator before I stop signing with the old KSK.

I have been trying to figure out how to get dig or another utility to check whether or not the DS information from the new key has been uploaded to the registrar but I'm at a loss.

Anyone know how to check whether or not the DS information from a given key is live and in the DNS system?

Thanks for any help,

Michael

[root@ns0 nsd]# grep DNSKEY /var/opendnssec/signed/nohats.ca |grep 257 >/tmp/mykey
[root@ns0 nsd]# ldns-key2ds /tmp/mykey Knohats.ca.+008+01321
[root@ns0 nsd]# cat Knohats.ca.+008+01321.ds nohats.ca. 3600 IN DS 1321 8 2 b7890a1e7b4ce1d671795d5fd46a71f229c58025587bec4eeb70ccda9233011c
[root@ns0 nsd]# dig +short ds nohats.ca
1321 8 2 B7890A1E7B4CE1D671795D5FD46A71F229C58025587BEC4EEB70CCDA
9233011C

Someone should fix ldns-key2ds to take stdin

Paul