[ksk-rollover] new root trust anchor confirmation
Tony Finch
dot at dotat.at
Fri Aug 11 22:54:14 UTC 2017
> On 11 Aug 2017, at 20:11, Evan Hunt <each at isc.org> wrote:
>
> This means that it isn't yet a trust anchor...
>
>> ... but managed-keys *does* contain both keys (20326 and 19036).
>
> ...but will be at some point, which you can determine by looking at the
> KEYDATA line in managed-keys.bind. The second date field is the when the
> add hold-down period will end, in UTC. (My server has 20170811222637,
> about five hours from now.)
>
> More recent versions of BIND added comments to the file that say "trust
> pending" with a more human-readable date, and the 'rndc managed-keys'
> command so you can query the server directly.
For red-hatted retronauts who rock like it's 9.7.0, years ago I wrote a script for parsing managed-keys.bind and explaining its contents. It has not turned out to be amazingly robust, but the splendid people at ISC.org have kept it working. (You probably want to run `rndc sync` first to ensure the journal has been folded into the master file.)
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=contrib/scripts/check5011.pl;hb=HEAD
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170812/b46d534f/attachment.html>
More information about the ksk-rollover
mailing list