[ksk-rollover] new root trust anchor confirmation
Warren Kumari
warren at kumari.net
Thu Aug 17 02:28:27 UTC 2017
On Tue, Aug 15, 2017 at 10:36 PM, Sameka McNeil - NOAA Affiliate
<sameka.s.mcneil at noaa.gov> wrote:
> Could someone give me a hand.
>
> I added the new root KSK to my bind 9 configuration using the trusted-keys
> configuration.
>
Unless you have a really good reason, 'trusted-keys' is probably not
what you want -- you should almost definitely be using 'managed-keys'
instead.
Trusted keys basically says: This is the trust anchor, and will always
be the trust anchor. I take full responsibility for updating it if it
changes in the future.
Managed keys says: This is the trust anchor. Please use the process in
RFC5011 to manage this for me -- when a new trust anchor is introduced
(and signed by the old one), start using it, and revoke this one when
told to.
More details here:
https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/
W
> How to I know if its trusted and validated?
>
> Thank you for any assistance
>
> On Tue, Aug 15, 2017 at 4:47 PM, Evan Hunt <each at isc.org> wrote:
>>
>> On Tue, Aug 15, 2017 at 07:54:55PM +0000, Paul Hoffman wrote:
>> > On Aug 10, 2017, at 2:03 PM, Evan Hunt <each at isc.org> wrote:
>> > > If you run a recent BIND, "rndc managed-keys status"
>> >
>> > That works in BIND 9.11.x; is there any equivalent for BIND 9.10.x,
>> > which
>> > is still much more prevalent in distros?
>>
>> "rndc secroots" will dump a list of trusted keys, and the
>> managed-keys.bind
>> file is readable and has comments that indicate whether trust is pending
>> or
>> active for each key.
>>
>> --
>> Evan Hunt -- each at isc.org
>> Internet Systems Consortium, Inc.
>> _______________________________________________
>> ksk-rollover mailing list
>> ksk-rollover at icann.org
>> https://mm.icann.org/mailman/listinfo/ksk-rollover
>>
>
>
>
> --
> --
> Sameka S. McNeil
>
>
>
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
More information about the ksk-rollover
mailing list