dnssec KSK rollover

project722 project722 at gmail.com
Thu Aug 23 22:58:51 UTC 2018

Actually I have one more question just to make sure I'm not overlooking
anything for the KSK rollover. The instructions here:


say that I need to, in addition to setting validation to "auto" run:

rndc secroots.

Well, I did that and it created the named.secroots file with the correct

secure roots as of 23-Aug-2018 17:27:15.420:

 Start view _default
   Secure roots:

./RSASHA256/20326 ; managed
./RSASHA256/19036 ; managed

   Negative trust anchors:

Does BIND automatically know to use this file or do I need to point
named.conf to it? Do I even need this file at all?

On Thu, Aug 23, 2018 at 9:43 AM project722 <project722 at gmail.com> wrote:

> Thanks Tony! This was very helpful.
> On Thu, Aug 23, 2018 at 8:01 AM Tony Finch <dot at dotat.at> wrote:
>> project722 <project722 at gmail.com> wrote:
>> >
>> > 1) I am still seeing the "no valid signature found" messages in my
>> > bind.log.
>> > ;; validating ncentral.teklinks.com/A: no valid signature found
>> In this case that's because ncentral.teklinks.com is signed but there's
>> no
>> DS in the parent zone, so it's insecure. If you run delv +vtrace you'll
>> see a lot of verbiage between these lines which is the major clue.
>> ;; validating teklinks.com/DS: attempting negative response validation
>> ;; validating teklinks.com/DS: nonexistence proof(s) found
>> Or you can look at dnsviz.net :-)
>> > 2) There is one other scenario that confuses me. When I test against a
>> URL
>> > that's purposely setup to fail dnssec, I get a servfail.
>> dnssec-failed.org has DS records, so it should be secure, but the DS
>> records in the parent don't match the DNSKEY records in the child zone.
>> You can see this by comparing:
>> $ dig +noall +answer dnssec-failed.org ds
>> $ dig +cd dnssec-failed.org dnskey |
>>   dnssec-dsfromkey -f /dev/stdin dnssec-failed.org
>> Tony.
>> --
>> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
>> protect and enlarge the conditions of liberty and social justice
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180823/8f0bb6fc/attachment.html>

More information about the bind-users mailing list