Web lists-archives.com

Re: DNS Key rollover




Hi there


On 04/10/2018 20:32, Reco wrote:

Please do not top post.

On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote:
Hi, Henning.

I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated.

I don't know anything about bind. How do I know what bind version I am
running, and if I need to do anything regarding the change you mentioned?

Stretch's bind has this public part of root's KSK:

# grep -A2 20326 /etc/bind/bind.keys
         # This key (20326) is to be published in the root zone in 2017.
         # Servers which were already using the old key (19036) should
         # roll seamlessly to this new one via RFC 5011 rollover. Servers

I have an old config with just contains 19036.
However, the mkeys file in /var/cache/bind/ contains both. I think this is due to 'dnssec-validation auto' in named.conf.

If you have the same - there's nothing to do.
If you don't - DNSSEC will stop working for you in seven days.
If you do not use BIND - there's nothing to do.


Regards,
Rob