[ksk-rollover] new root trust anchor confirmation

Evan Hunt each at isc.org
Fri Aug 11 17:11:31 UTC 2017

On Fri, Aug 11, 2017 at 11:29:22AM +0200, Phil Regnauld wrote:
> 11-Aug-2017 11:24:26.711
>  Start view _default
> ./RSASHA256/19036 ; managed

This means that it isn't yet a trust anchor...

> 	... but managed-keys *does* contain both keys (20326 and 19036).

...but will be at some point, which you can determine by looking at the
KEYDATA line in managed-keys.bind.  The second date field is the when the
add hold-down period will end, in UTC. (My server has 20170811222637,
about five hours from now.)

More recent versions of BIND added comments to the file that say "trust
pending" with a more human-readable date, and the 'rndc managed-keys'
command so you can query the server directly.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the ksk-rollover mailing list