<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div><div></div>On 11 Aug 2017, at 20:11, Evan Hunt <<a href="mailto:each@isc.org">each@isc.org</a>> wrote:<br></div><blockquote type="cite"><div><span></span><br><span>This means that it isn't yet a trust anchor...</span><br><span></span><br><blockquote type="cite"><span> ... but managed-keys *does* contain both keys (20326 and 19036).</span><br></blockquote><span></span><br><span>...but will be at some point, which you can determine by looking at the</span><br><span>KEYDATA line in managed-keys.bind. The second date field is the when the</span><br><span>add hold-down period will end, in UTC. (My server has 20170811222637,</span><br><span>about five hours from now.)</span><br><span></span><br><span>More recent versions of BIND added comments to the file that say "trust</span><br><span>pending" with a more human-readable date, and the 'rndc managed-keys'</span><br><span>command so you can query the server directly.</span><br></div></blockquote><div><br></div><div>For red-hatted retronauts who rock like it's 9.7.0, years ago I wrote a script for parsing managed-keys.bind and explaining its contents. It has not turned out to be amazingly robust, but the splendid people at <a href="http://ISC.org">ISC.org</a> have kept it working. (You probably want to run `rndc sync` first to ensure the journal has been folded into the master file.)</div><br><div><div><a href="https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=contrib/scripts/check5011.pl;h=0751a80d49e01dc8d0e6167cd9ac42edebeb14e5;hb=HEAD">https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=contrib/scripts/check5011.pl;hb=HEAD</a><span style="background-color: rgba(255, 255, 255, 0);"><br><br>Tony.</span><div><span style="background-color: rgba(255, 255, 255, 0);">-- </span></div><div><span style="background-color: rgba(255, 255, 255, 0);">f.anthony.n.finch <<a href="mailto:dot@dotat.at">dot@dotat.at</a>> <a href="http://dotat.at">http://dotat.at</a></span></div><div><br></div></div></div></body></html>