Re: DNS Key rollover
- Date: Sun, 7 Oct 2018 14:01:15 +0200
- From: Rob van der Putten <rob@xxxxxxx>
- Subject: Re: DNS Key rollover
On 04/10/2018 20:32, Reco wrote:
Please do not top post.
On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote:
I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated.
I don't know anything about bind. How do I know what bind version I am
running, and if I need to do anything regarding the change you mentioned?
Stretch's bind has this public part of root's KSK:
# grep -A2 20326 /etc/bind/bind.keys
# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
I have an old config with just contains 19036.
However, the mkeys file in /var/cache/bind/ contains both. I think this
is due to 'dnssec-validation auto' in named.conf.
If you have the same - there's nothing to do.
If you don't - DNSSEC will stop working for you in seven days.
If you do not use BIND - there's nothing to do.