[Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. AlanC ---BeginMessage--- [Apologies for duplicates] Dear Colleagues, We have discovered that recent versions of the Fedora Linux distribution are shipping with a package called dnssec-conf, which contains the RIPE NCC's DNSSEC trust anchors. This package is installed by default as a dependency of BIND, and it configures BIND to do DNSSEC validation. Unfortunately, the current version of this package (1.21) is outdated and contains old trust anchors. On 16 December 2009, we had a key roll-over event, where we removed the old Key-Signing Keys (KSKs). From that time, BIND resolvers running on Fedora Linux distributions could not validate any signed responses in the RIPE NCC's reverse zones. If you are running Fedora Linux with the standard BIND package, please edit the file /etc/pki/dnssec-keys//named.dnssec.keys, and comment out all the lines in it containing the directory path production/reverse. Then restart BIND. This will stop BIND from using the outdated trust anchors. If you do want to use the RIPE NCC's trust anchors to validate our signed zones, we recommend that you fetch the latest trust anchor file from our website and reconfigure BIND to use it instead of the ones distributed in the dnssec-conf package: https://www.ripe.net/projects/disi/keys/index.html Please remember to check frequently for updates to our trust anchor file, as we introduce new Key-Signing Keys (KSKs) every 6 months. Regards, Anand Buddhdev, DNS Services Manager, RIPE NCC ---End Message--- signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote: I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. We (= me and Paul Wouters) are working on dnssec-conf update. Sorry for troubles. Regards, Adam Date: Fri, 05 Feb 2010 14:25:10 +0100 From: Anand Buddhdev ana...@ripe.net To: dnssec-deploym...@dnssec-deployment.org Subject: [Dnssec-deployment] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 [Apologies for duplicates] Dear Colleagues, We have discovered that recent versions of the Fedora Linux distribution are shipping with a package called dnssec-conf, which contains the RIPE NCC's DNSSEC trust anchors. This package is installed by default as a dependency of BIND, and it configures BIND to do DNSSEC validation. Unfortunately, the current version of this package (1.21) is outdated and contains old trust anchors. On 16 December 2009, we had a key roll-over event, where we removed the old Key-Signing Keys (KSKs). From that time, BIND resolvers running on Fedora Linux distributions could not validate any signed responses in the RIPE NCC's reverse zones. If you are running Fedora Linux with the standard BIND package, please edit the file /etc/pki/dnssec-keys//named.dnssec.keys, and comment out all the lines in it containing the directory path production/reverse. Then restart BIND. This will stop BIND from using the outdated trust anchors. If you do want to use the RIPE NCC's trust anchors to validate our signed zones, we recommend that you fetch the latest trust anchor file from our website and reconfigure BIND to use it instead of the ones distributed in the dnssec-conf package: https://www.ripe.net/projects/disi/keys/index.html Please remember to check frequently for updates to our trust anchor file, as we introduce new Key-Signing Keys (KSKs) every 6 months. Regards, Anand Buddhdev, DNS Services Manager, RIPE NCC -- Adam Tkac, Red Hat, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
In message 20100205143439.ga15...@evileye.atkac.englab.brq.redhat.com, Adam T kac writes: On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote: I find this important enough to forward on to bind-users. Please not the importance of trust anchor management. We (= me and Paul Wouters) are working on dnssec-conf update. Sorry for troubles. Regards, Adam The better thing would be a a script to fetch the current keys nightly, perform a sanity check, then update or inform the administator and let them update the keys after inspection. I do something like this myself nightly. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
On Sat, 6 Feb 2010, Mark Andrews wrote: We (= me and Paul Wouters) are working on dnssec-conf update. Sorry for troubles. The better thing would be a a script to fetch the current keys nightly, perform a sanity check, then update or inform the administator and let them update the keys after inspection. I do something like this myself nightly. With the current success of the DLV, and the root zone deployment half a year away, it is not really required anymore. I think it is much better to get rid of all trust anchors apart from the ISC DLV key. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]
Paul Wouters wrote: With the current success of the DLV, and the root zone deployment half a year away, it is not really required anymore. I think it is much better to get rid of all trust anchors apart from the ISC DLV key. Do remember, however, that the DLV keys also roll, so this does need to be taken into account. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
