[ksk-rollover] new root trust anchor confirmation
Phil Regnauld
regnauld at nsrc.org
Fri Aug 11 09:29:22 UTC 2017
Tony Finch (dot) writes:
>
> And for recent BIND, use `rndc managed-keys status` or for less recent BIND use `rndc secroots` (which dumps to named.secroots in the server's working directory instead of stdout).
Got an old 9.8.4-P2 I'm keeping around to check behaviour.
It supports rndc secroots, but not rndc managed-keys status.
Here's what I get, FYI:
-rw-r--r-- 1 bind bind 1175 Aug 10 16:02 managed-keys.bind
-rw-r--r-- 1 bind bind 512 Aug 10 16:02 managed-keys.bind.jnl
-rw-r--r-- 1 bind bind 76 Aug 11 11:24 named.secroots
... named secroots still lists 19036:
11-Aug-2017 11:24:26.711
Start view _default
./RSASHA256/19036 ; managed
... but managed-keys *does* contain both keys (20326 and 19036).
Nothing in the logs indicating it's considering trusting 20326 anytime
soon.
Cheers,
Phil
More information about the ksk-rollover
mailing list