cant update 'cz'
dot at dotat.at
Sun Sep 5 18:00:22 UTC 2010
On 30 Aug 2010, at 00:02, clemens at dwf.com wrote:
> Can you either point me at the documentation I need to read, or
> explain how to
> 'Add one for the root zone'
Have a look at:
Note that since you are using bind-9.6 you have to use a "trusted-keys" clause since it doesn't support "managed-keys" / RFC 5011. For the same reason bind-9.6 also does not support "dnssec-lookaside auto".
> No I havent done this, and I dont see anything for the root zone when
> I do the above, viz 'anchors2keys < anchors.xml > trusted.keys'.
The ITAR only contains TLD trust anchors, not the root trust anchor nor any for lower zones. Also, the root trust anchor is distributed in a different format to the ITAR so anchors2keys doesn't work on it (hence my blog post).
I recommend ignoring the ITAR (it is due to be eliminated now the root has been signed). Use dnssec-lookaside if you want to validate zones that lack a chain of trust from the root.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
More information about the bind-users