cant update 'cz'

Chris Thompson cet1 at cam.ac.uk
Sat Aug 28 22:33:58 UTC 2010


On Aug 28 2010, clemens at dwf.com wrote:

>I am getting the message:
>    cz DNSKEY: please check the 'trusted-keys' for 'cz' in named.conf.
>
>And in the past this has meant that something needed to be updated.
>
>However, when I pull 'anchors.xml' and run anchors2keys < anchors.xml > 
>trusted.keys
>
>there is no entry for 'cz'.
>
>What should I be doing???

Remove your trust anchor for "cz".
Add one for the root zone (if you haven't done so already).

"cz" has switched from RSASHA1/NSEC to RSASHA512/NSEC3, had a DS record 
for it added to the root zone, and has been removed from the ITAR. It's
actually been gone from the ITAR for at least a couple of weeks: if
you are generating trust anchors from the ITAR you need to fetch and
reprocess it (much) more often. Things are changing very fast now that
the root zone is signed.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk



More information about the bind-users mailing list