DNSSEC with 9.7.2-P2
Mark Andrews
marka at isc.org
Mon Nov 15 23:01:52 UTC 2010
In message <20101115140938.GA17245 at evileye.atkac.brq.redhat.com>, Adam Tkac wri
tes:
> On Sat, Nov 13, 2010 at 11:35:57AM +1100, Mark Andrews wrote:
> >
> > In message <4CDD6467.9050708 at imperial.ac.uk>, Phil Mayers writes:
> > > On 12/11/10 15:45, Lightner, Jeff wrote:
> > >
> > > > For Production (RPM based system) you should use RHEL or CentOS which
> > > > has a much longer life cycle. (Speaking of which, RHEL6 was just put i
> n
> > >
> > > I don't agree with your line of reasoning. RHEL may have longer update
> > > cycles, but there's no guarantee a particular RHEL install will be
> > > applying updates in real-time, so the keys in the dnssec-conf package
> > > may still get out of date, or a RHEL install may run after it's 5-year
> > > update cycle ends.
> > >
> > > I think the dnssec-conf package should have had a nightly cron job to
> > > refresh these keys, and it was a mistake to deploy without such.
> > >
> > > Just my opinion of course.
> > > _______________________________________________
> > > bind-users mailing list
> > > bind-users at lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> >
> > I use the following scripts (update-trusted-keys and commit-trusted-keys)
> > to manage my trust anchors. I run update-trusted-keys nightly from cron
> > and manually update when I get email that there has been a change.
> >
> > update-trusted-keys replaces the trust anchor when the tld gets a DS
> > record added to the root zone. With no arguements it just updates the
> > current list of zones listed is /etc/trusted-keys.
>
> Isn't sufficient to configure the root trust anchor inside "managed-keys {};"
> statement? If I understand correctly the key should be automatically
> updated, shouldn't it?
For 9.7 yes.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list