On 11/12/2010 7:49 AM, David Forrest wrote: > While running BIND 9.7.2-P2 built with defaults on F11
[..]
> and, on checking named.conf, I found the entry for br. as:
> trusted-keys {
> "br." 257 3 5
> "AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPqXr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1NGbGfs513y6dy1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hNx94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNpy6AM=";
> };
If Fedora 11 (I'm assuming that is what "F11" is) has built in
trust-anchors in the distributed named.conf, someone needs to talk to
them...
As already noted, the root is signed, inserting individual keys into the
named.conf for TLDs that are signed and have DS records in the root is a
really, REALLY bad idea.
Doing a search for relevant keywords proves that yes, Fedora 11 ships
with a broken configuration and the recommendation (from those that seem
to know no better) is "ooh, DNSSEC BAD, turn it off".
AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
