[ksk-rollover] new root trust anchor confirmation

Phil Regnauld regnauld at nsrc.org
Fri Aug 11 09:29:22 UTC 2017

Tony Finch (dot) writes:
> And for recent BIND, use `rndc managed-keys status` or for less recent BIND use `rndc secroots` (which dumps to named.secroots in the server's working directory instead of stdout).

	Got an old 9.8.4-P2 I'm keeping around to check behaviour.

	It supports rndc secroots, but not rndc managed-keys status.

	Here's what I get, FYI:

	-rw-r--r--  1 bind  bind  1175 Aug 10 16:02 managed-keys.bind
	-rw-r--r--  1 bind  bind   512 Aug 10 16:02 managed-keys.bind.jnl
	-rw-r--r--  1 bind  bind    76 Aug 11 11:24 named.secroots

	... named secroots still lists 19036:

11-Aug-2017 11:24:26.711

 Start view _default

./RSASHA256/19036 ; managed

	... but managed-keys *does* contain both keys (20326 and 19036).

	Nothing in the logs indicating it's considering trusting 20326 anytime


More information about the ksk-rollover mailing list