DNSSEC with 9.7.2-P2

Adam Tkac atkac at redhat.com
Mon Nov 15 14:09:38 UTC 2010

On Sat, Nov 13, 2010 at 11:35:57AM +1100, Mark Andrews wrote:
> In message <4CDD6467.9050708 at imperial.ac.uk>, Phil Mayers writes:
> > On 12/11/10 15:45, Lightner, Jeff wrote:
> > 
> > > For Production (RPM based system) you should use RHEL or CentOS which
> > > has a much longer life cycle.  (Speaking of which, RHEL6 was just put in
> > 
> > I don't agree with your line of reasoning. RHEL may have longer update 
> > cycles, but there's no guarantee a particular RHEL install will be 
> > applying updates in real-time, so the keys in the dnssec-conf package 
> > may still get out of date, or a RHEL install may run after it's 5-year 
> > update cycle ends.
> > 
> > I think the dnssec-conf package should have had a nightly cron job to 
> > refresh these keys, and it was a mistake to deploy without such.
> > 
> > Just my opinion of course.
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> I use the following scripts (update-trusted-keys and commit-trusted-keys)
> to manage my trust anchors.  I run update-trusted-keys nightly from cron
> and manually update when I get email that there has been a change.
> update-trusted-keys replaces the trust anchor when the tld gets a DS
> record added to the root zone.  With no arguements it just updates the
> current list of zones listed is /etc/trusted-keys.

Isn't sufficient to configure the root trust anchor inside "managed-keys {};"
statement? If I understand correctly the key should be automatically
updated, shouldn't it?

Regards, Adam

Adam Tkac, Red Hat, Inc.

More information about the bind-users mailing list