KSK Rollover

John W. Blue john.blue at rrcic.com
Thu Sep 6 18:14:20 UTC 2018

As I personally understand it you can ignore this notice if:

a) you are not enforcing DNSSEC validation
b) if you are running a version of BIND that supports automatic KSK updates.


Sent from Nine<http://www.9folders.com/>
From: Brent Swingle <brent at havilandtelco.com>
Sent: Thursday, September 6, 2018 12:36 PM
To: bind-users at lists.isc.org
Subject: KSK Rollover

I recently received an email indicating that our DNS servers are not properly equipped for the planned KSK Rollover that is coming.  It leads off with this line "On 11 October 2018, ICANN will change or "roll over" the DNSSEC key signing key (KSK) of the DNS root zone."

Reading through the email there are links on how to check our server setup and make adjustments.  My specific question to the group is in regards to one of the steps outlined for checking the current configuration.

This is the link that outlines the server test steps:

This is the command that does not work and the output received:
[root at ns2 ~]# rndc secroots
rndc: 'secroots' failed: permission denied
[root at ns2 ~]#

This are the versions that I am running:
[root at ns2 ~]# named -v
BIND 9.10.2-P4-RedHat-9.10.2-5.P4.fc22

Might anyone be able to tell me what adjustment I would need to make in order for this command to work properly so I can look at the output file and verify my config?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180906/a768a3d8/attachment.html>

More information about the bind-users mailing list