On 11 Aug 2017, at 20:11, Evan Hunt <each@isc.org> wrote:
This means that it isn't yet a trust anchor...
... but managed-keys *does* contain both keys (20326 and 19036).
...but will be at some point, which you can determine by looking at the KEYDATA line in managed-keys.bind. The second date field is the when the add hold-down period will end, in UTC. (My server has 20170811222637, about five hours from now.)
More recent versions of BIND added comments to the file that say "trust pending" with a more human-readable date, and the 'rndc managed-keys' command so you can query the server directly.
For red-hatted retronauts who rock like it's 9.7.0, years ago I wrote a script for parsing managed-keys.bind and explaining its contents. It has not turned out to be amazingly robust, but the splendid people at ISC.org have kept it working. (You probably want to run `rndc sync` first to ensure the journal has been folded into the master file.) https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=contrib/scrip... Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at