Tony Finch (dot) writes:
And for recent BIND, use `rndc managed-keys status` or for less recent BIND use `rndc secroots` (which dumps to named.secroots in the server's working directory instead of stdout).
Got an old 9.8.4-P2 I'm keeping around to check behaviour. It supports rndc secroots, but not rndc managed-keys status. Here's what I get, FYI: -rw-r--r-- 1 bind bind 1175 Aug 10 16:02 managed-keys.bind -rw-r--r-- 1 bind bind 512 Aug 10 16:02 managed-keys.bind.jnl -rw-r--r-- 1 bind bind 76 Aug 11 11:24 named.secroots ... named secroots still lists 19036: 11-Aug-2017 11:24:26.711 Start view _default ./RSASHA256/19036 ; managed ... but managed-keys *does* contain both keys (20326 and 19036). Nothing in the logs indicating it's considering trusting 20326 anytime soon. Cheers, Phil