On Tue, Aug 15, 2017 at 10:36 PM, Sameka McNeil - NOAA Affiliate <sameka.s.mcneil@noaa.gov> wrote:
Could someone give me a hand.
I added the new root KSK to my bind 9 configuration using the trusted-keys configuration.
Unless you have a really good reason, 'trusted-keys' is probably not what you want -- you should almost definitely be using 'managed-keys' instead. Trusted keys basically says: This is the trust anchor, and will always be the trust anchor. I take full responsibility for updating it if it changes in the future. Managed keys says: This is the trust anchor. Please use the process in RFC5011 to manage this for me -- when a new trust anchor is introduced (and signed by the old one), start using it, and revoke this one when told to. More details here: https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-... W
How to I know if its trusted and validated?
Thank you for any assistance
On Tue, Aug 15, 2017 at 4:47 PM, Evan Hunt <each@isc.org> wrote:
On Tue, Aug 15, 2017 at 07:54:55PM +0000, Paul Hoffman wrote:
On Aug 10, 2017, at 2:03 PM, Evan Hunt <each@isc.org> wrote:
If you run a recent BIND, "rndc managed-keys status"
That works in BIND 9.11.x; is there any equivalent for BIND 9.10.x, which is still much more prevalent in distros?
"rndc secroots" will dump a list of trusted keys, and the managed-keys.bind file is readable and has comments that indicate whether trust is pending or active for each key.
-- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
-- -- Sameka S. McNeil
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
-- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf