Sameka, That's the DNSSEC Debugger's trust anchor, not yours. Unfortunately the Debugger only tests authoritative name server configurations. It cannot test anything about your validating name server. Per some previous emails on this list, you can run either 'rndc secroots' or 'rndc managed-keys' depending on your particular version of BIND 9. DW
On Aug 15, 2017, at 8:14 PM, Sameka McNeil - NOAA Affiliate <sameka.s.mcneil@noaa.gov> wrote:
so the
dnssec-debugger.verisignlabs.com showed my DS=20326/SHA-256 is now in the chain-of-trust
On Tue, Aug 15, 2017 at 7:36 PM, Sameka McNeil - NOAA Affiliate <sameka.s.mcneil@noaa.gov> wrote: Could someone give me a hand.
I added the new root KSK to my bind 9 configuration using the trusted-keys configuration.
How to I know if its trusted and validated?
Thank you for any assistance
On Tue, Aug 15, 2017 at 4:47 PM, Evan Hunt <each@isc.org> wrote: On Tue, Aug 15, 2017 at 07:54:55PM +0000, Paul Hoffman wrote:
On Aug 10, 2017, at 2:03 PM, Evan Hunt <each@isc.org> wrote:
If you run a recent BIND, "rndc managed-keys status"
That works in BIND 9.11.x; is there any equivalent for BIND 9.10.x, which is still much more prevalent in distros?
"rndc secroots" will dump a list of trusted keys, and the managed-keys.bind file is readable and has comments that indicate whether trust is pending or active for each key.
-- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
-- -- Sameka S. McNeil
-- -- Sameka S. McNeil Phone: 301.628.5644 Cell: 202.360.9428
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover