Module Name:src
Committed By: martin
Date: Sat May 5 15:14:30 UTC 2018
Modified Files:
src/etc/namedb [netbsd-8]: bind.keys
Log Message:
Pull up following revision(s) (requested by nakayama in ticket #791):
etc/namedb/bind.keys: revision 1.2
Update the keys file to the latest version from:
https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
This includes the new KSK2017 key which is planned to replace the KSK2010
in October 11th, 2018. It is important to have software that ships with
both before September 11th 2018. Anything that bootstraps after that could
have trouble switching.
XXX: pullup-8, pullup-7, pullup-6
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.1.26.1 src/etc/namedb/bind.keys
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/namedb/bind.keys
diff -u src/etc/namedb/bind.keys:1.1 src/etc/namedb/bind.keys:1.1.26.1
--- src/etc/namedb/bind.keys:1.1 Thu Apr 25 17:02:29 2013
+++ src/etc/namedb/bind.keys Sat May 5 15:14:30 2018
@@ -1,5 +1,4 @@
-/* $NetBSD: bind.keys,v 1.1 2013/04/25 17:02:29 christos Exp $ */
-/* Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp */
+/* $NetBSD: bind.keys,v 1.1.26.1 2018/05/05 15:14:30 martin Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
@@ -16,15 +15,18 @@
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of January 2011. If any key fails to
+# These keys are current as of February 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
-# NOTE: This key is activated by setting "dnssec-lookaside auto;"
-# in named.conf.
+ #
+ # NOTE: The ISC DLV zone is being phased out as of February 2017;
+ # the key will remain in place but the zone will be otherwise empty.
+ # Configuring "dnssec-lookaside auto;" to activate this key is
+ # harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
@@ -33,10 +35,16 @@ managed-keys {
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
- # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
-# NOTE: This key is activated by setting "dnssec-validation auto;"
-# in named.conf.
+ #
+ # These keys are activated by setting "dnssec-validation auto;"
+ # in named.conf.
+ #
+ # This key (19036) is to be phased out starting in 2017. It will
+ # remain in the root zone for some time after its successor key
+ # has been added. It will remain this file until it is removed from
+ # the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
@@ -44,4 +52,19 @@ managed-keys {
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
+
+ # This key (20326) is to be published in the root zone in 2017.
+ # Servers which were already using the old key (19036) should
+ # roll seamlessly to this new one via RFC 5011 rollover. Servers
+ # being set up for the first time can use the contents of this
+ # file as initializing keys; thereafter, the keys in the
+ # managed key database will be trusted and maintained
+ # automatically.
+ . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+ R1AkUTV74bU=";
};
