[Fwd: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories]

Adam Tkac atkac at redhat.com
Fri Feb 5 14:34:39 UTC 2010


On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote:
> I find this important enough to forward on to bind-users.
> 
> Please not the importance of trust anchor management.

We (= me and Paul Wouters) are working on dnssec-conf update. Sorry
for troubles.

Regards, Adam

> Date: Fri, 05 Feb 2010 14:25:10 +0100
> From: Anand Buddhdev <anandb at ripe.net>
> To: dnssec-deployment at dnssec-deployment.org
> Subject: [Dnssec-deployment] Outdated RIPE NCC Trust Anchors in Fedora
>  Linux Repositories
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB;
>  rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
> 
> [Apologies for duplicates]
> 
> Dear Colleagues,
> 
> We have discovered that recent versions of the Fedora Linux distribution
> are shipping with a package called "dnssec-conf", which contains the
> RIPE NCC's DNSSEC trust anchors. This package is installed by default as
> a dependency of BIND, and it configures BIND to do DNSSEC validation.
> 
> Unfortunately, the current version of this package (1.21) is outdated
> and contains old trust anchors.
> 
> On 16 December 2009, we had a key roll-over event, where we removed the
> old Key-Signing Keys (KSKs). From that time, BIND resolvers running on
> Fedora Linux distributions could not validate any signed responses in
> the RIPE NCC's reverse zones.
> 
> If you are running Fedora Linux with the standard BIND package, please
> edit the file "/etc/pki/dnssec-keys//named.dnssec.keys", and comment out
> all the lines in it containing the directory path "production/reverse".
> Then restart BIND.
> 
> This will stop BIND from using the outdated trust anchors. If you do
> want to use the RIPE NCC's trust anchors to validate our signed zones,
> we recommend that you fetch the latest trust anchor file from our
> website and reconfigure BIND to use it instead of the ones distributed
> in the dnssec-conf package:
> 
> https://www.ripe.net/projects/disi/keys/index.html
> 
> Please remember to check frequently for updates to our trust anchor
> file, as we introduce new Key-Signing Keys (KSKs) every 6 months.
> 
> Regards,
> 
> Anand Buddhdev,
> DNS Services Manager, RIPE NCC

-- 
Adam Tkac, Red Hat, Inc.



More information about the bind-users mailing list