Testing RFC 5011 key roll

Warren Kumari warren at kumari.net
Mon Apr 20 20:48:07 UTC 2015

On Mon, Apr 20, 2015 at 4:33 PM, Evan Hunt <each at isc.org> wrote:
> On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
>> That page says (for BIND):
>> "Note: When using this config file you will probably need to delete
>> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys*
>> every time you restart BIND after missing a keyroll." (I'm not quite
>> sure how that filename was derived...)
> The misguided idea was to make a filename that would be unique for
> each view, but not to use the view name because those can contain
> characters that are illegal in file names (e.g., '/').  So it's a
> sha256 hash of the view name,

Cooooool! It looked like a hash of <something>, I was just too lazy to
go figure out what the <something> was. I was hoping it was a hash of
something funny...

> which is guaranteed to be a legal file
> name because it's all hexadecimal.  It's also guaranteed to be maximally
> confusing.
> As of BIND 9.10, it doesn't name files that way anymore.

Awww... Now that I know the secret you've gone and changed it.


> It'll still
> read an existing file using that naming format if it finds one, though.
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the bind-users mailing list