[ksk-rollover] new root trust anchor confirmation

Tony Finch dot at dotat.at
Fri Aug 11 22:54:14 UTC 2017

> On 11 Aug 2017, at 20:11, Evan Hunt <each at isc.org> wrote:
> This means that it isn't yet a trust anchor...
>>    ... but managed-keys *does* contain both keys (20326 and 19036).
> ...but will be at some point, which you can determine by looking at the
> KEYDATA line in managed-keys.bind.  The second date field is the when the
> add hold-down period will end, in UTC. (My server has 20170811222637,
> about five hours from now.)
> More recent versions of BIND added comments to the file that say "trust
> pending" with a more human-readable date, and the 'rndc managed-keys'
> command so you can query the server directly.

For red-hatted retronauts who rock like it's 9.7.0, years ago I wrote a script for parsing managed-keys.bind and explaining its contents. It has not turned out to be amazingly robust, but the splendid people at ISC.org have kept it working. (You probably want to run `rndc sync` first to ensure the journal has been folded into the master file.)


f.anthony.n.finch  <dot at dotat.at>  http://dotat.at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170812/b46d534f/attachment.html>

More information about the ksk-rollover mailing list