On 11 Aug 2017, at 20:11, Evan Hunt <each@isc.org> wrote:

This means that it isn't yet a trust anchor...

   ... but managed-keys *does* contain both keys (20326 and 19036).

...but will be at some point, which you can determine by looking at the
KEYDATA line in managed-keys.bind.  The second date field is the when the
add hold-down period will end, in UTC. (My server has 20170811222637,
about five hours from now.)

More recent versions of BIND added comments to the file that say "trust
pending" with a more human-readable date, and the 'rndc managed-keys'
command so you can query the server directly.

For red-hatted retronauts who rock like it's 9.7.0, years ago I wrote a script for parsing managed-keys.bind and explaining its contents. It has not turned out to be amazingly robust, but the splendid people at ISC.org have kept it working. (You probably want to run `rndc sync` first to ensure the journal has been folded into the master file.)

https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=contrib/scripts/check5011.pl;hb=HEAD

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at