Re: cant update 'cz'
On 30 Aug 2010, at 00:02, clem...@dwf.com wrote: Can you either point me at the documentation I need to read, or explain how to 'Add one for the root zone' Have a look at: http://fanf.livejournal.com/107310.html Note that since you are using bind-9.6 you have to use a trusted-keys clause since it doesn't support managed-keys / RFC 5011. For the same reason bind-9.6 also does not support dnssec-lookaside auto. No I havent done this, and I dont see anything for the root zone when I do the above, viz 'anchors2keys anchors.xml trusted.keys'. The ITAR only contains TLD trust anchors, not the root trust anchor nor any for lower zones. Also, the root trust anchor is distributed in a different format to the ITAR so anchors2keys doesn't work on it (hence my blog post). I recommend ignoring the ITAR (it is due to be eliminated now the root has been signed). Use dnssec-lookaside if you want to validate zones that lack a chain of trust from the root. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cant update 'cz'
On Aug 28 2010, clem...@dwf.com wrote: I am getting the message: cz DNSKEY: please check the 'trusted-keys' for 'cz' in named.conf. And in the past this has meant that something needed to be updated. However, when I pull 'anchors.xml' and run anchors2keys anchors.xml trusted.keys there is no entry for 'cz'. What should I be doing??? Remove your trust anchor for cz. Add one for the root zone (if you haven't done so already). cz has switched from RSASHA1/NSEC to RSASHA512/NSEC3, had a DS record for it added to the root zone, and has been removed from the ITAR. It's actually been gone from the ITAR for at least a couple of weeks: if you are generating trust anchors from the ITAR you need to fetch and reprocess it (much) more often. Things are changing very fast now that the root zone is signed. Sorry to appear a bit dense, but I haven't read thru the bind documentation in years, and I really dont know anything about these new features. Can you either point me at the documentation I need to read, or explain how to 'Add one for the root zone' No I havent done this, and I dont see anything for the root zone when I do the above, viz 'anchors2keys anchors.xml trusted.keys'. I know this is all in a state of flux, and things are probably in a state of flux, but Im running bind 9.6.2 from Fedora 11. -- Reg.Clemens r...@dwf.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
cant update 'cz'
I am getting the message: cz DNSKEY: please check the 'trusted-keys' for 'cz' in named.conf. And in the past this has meant that something needed to be updated. However, when I pull 'anchors.xml' and run anchors2keys anchors.xml trusted.keys there is no entry for 'cz'. What should I be doing??? -- Reg.Clemens r...@dwf.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
