cant update 'cz'

Kevin Oberman oberman at es.net
Sun Aug 29 23:25:43 UTC 2010 

> From: clemens at dwf.com
> Date: Sun, 29 Aug 2010 17:02:29 -0600
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
> 
> > On Aug 28 2010, clemens at dwf.com wrote:
> > 
> > >I am getting the message:
> > >    cz DNSKEY: please check the 'trusted-keys' for 'cz' in named.conf.
> > >
> > >And in the past this has meant that something needed to be updated.
> > >
> > >However, when I pull 'anchors.xml' and run anchors2keys < anchors.xml > 
> > >trusted.keys
> > >
> > >there is no entry for 'cz'.
> > >
> > >What should I be doing???
> > 
> > Remove your trust anchor for "cz".
> > Add one for the root zone (if you haven't done so already).
> > 
> > "cz" has switched from RSASHA1/NSEC to RSASHA512/NSEC3, had a DS record 
> > for it added to the root zone, and has been removed from the ITAR. It's
> > actually been gone from the ITAR for at least a couple of weeks: if
> > you are generating trust anchors from the ITAR you need to fetch and
> > reprocess it (much) more often. Things are changing very fast now that
> > the root zone is signed.
> > 
> Sorry to appear a bit dense, but I haven't read thru the bind documentation
> in years, and I really dont know anything about these new features.
> 
> Can you either point me at the documentation I need to read, or 
> explain how to
> 
>     'Add one for the root zone'
> 
> No I havent done this, and I dont see anything for the root zone when
> I do the above, viz 'anchors2keys < anchors.xml > trusted.keys'.
> 
> I know this is all in a state of flux, and things are probably in a state of
> flux, but  Im running bind 9.6.2 from Fedora 11.

You can get the root key lots of places. Obviously it is best to get it
from somewhere you trust. ISC has it in BIND format, which is nice if
you trust it. 

ICANN is the obvious place to go, but I don't believe the format ICANN
publishes in is compatible with anchors2keys. The XML schema is
different from that of the ITAR. Not that it is all that hard to figure
out. I will confirm that the ISC published key matches the one ICANN
has, but I wouldn't believe me on that, so confirm it yourself.

Once you get the key, drop it into 'trusted-keys' or 'managed-keys' as
appropriate to your version of BIND. The entry should start ""." 257 3
8" followed by the ASCII armored key in quotation marks.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the bind-users mailing list