cant update 'cz'

clemens at dwf.com clemens at dwf.com
Sun Aug 29 23:02:29 UTC 2010


> On Aug 28 2010, clemens at dwf.com wrote:
> 
> >I am getting the message:
> >    cz DNSKEY: please check the 'trusted-keys' for 'cz' in named.conf.
> >
> >And in the past this has meant that something needed to be updated.
> >
> >However, when I pull 'anchors.xml' and run anchors2keys < anchors.xml > 
> >trusted.keys
> >
> >there is no entry for 'cz'.
> >
> >What should I be doing???
> 
> Remove your trust anchor for "cz".
> Add one for the root zone (if you haven't done so already).
> 
> "cz" has switched from RSASHA1/NSEC to RSASHA512/NSEC3, had a DS record 
> for it added to the root zone, and has been removed from the ITAR. It's
> actually been gone from the ITAR for at least a couple of weeks: if
> you are generating trust anchors from the ITAR you need to fetch and
> reprocess it (much) more often. Things are changing very fast now that
> the root zone is signed.
> 
Sorry to appear a bit dense, but I haven't read thru the bind documentation
in years, and I really dont know anything about these new features.

Can you either point me at the documentation I need to read, or 
explain how to

    'Add one for the root zone'

No I havent done this, and I dont see anything for the root zone when
I do the above, viz 'anchors2keys < anchors.xml > trusted.keys'.

I know this is all in a state of flux, and things are probably in a state of
flux, but  Im running bind 9.6.2 from Fedora 11.
-- 
                                        Reg.Clemens
                                        reg at dwf.com





More information about the bind-users mailing list