On 28/09/2018 10:55, Anand Buddhdev wrote:
> On 11 October, the old key won't be removed. On that day, the new key
> will start signing the DNSKEY RRset. The old key (id 19036), will remain
> in the root zone; it just won't sign the DNSKEY RRset. Eventually, in
> the first quarter of 2019, it will
On 28/09/2018 11:37, Ray Bellis wrote:
Hi Ray,
> At this time the old key will be removed from the root zone leaving only
> the new key (id 20326) in the zone. If your DNS servers don't know and
> trust the new key at that point then DNSSEC validation errors will occur.
On 11 October, the old k
This is a reminder for users of BIND that the most critical phase of the
rollover of the root zone's DNSSEC KSK is scheduled to happen at 16:00
UTC on Thursday 11th October.
At this time the old key will be removed from the root zone leaving only
the new key (id 20326) in the zone. If your DNS se
Actually I have one more question just to make sure I'm not overlooking
anything for the KSK rollover. The instructions here:
https://www.icann.org/dns-resolvers-checking-current-trust-anchors
say that I need to, in addition to setting validation to "auto" run:
rndc secroots.
Well, I did that a
Thanks Tony! This was very helpful.
On Thu, Aug 23, 2018 at 8:01 AM Tony Finch wrote:
> project722 wrote:
> >
> > 1) I am still seeing the "no valid signature found" messages in my
> > bind.log.
>
> > ;; validating ncentral.teklinks.com/A: no valid signature found
>
> In this case that's becaus
project722 wrote:
>
> 1) I am still seeing the "no valid signature found" messages in my
> bind.log.
> ;; validating ncentral.teklinks.com/A: no valid signature found
In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run de
Hi Tony,
I've removed the config for managed keys out of my named.conf, moved any
files called bind.keys out from my named working directory, and restarted
Bind. I see where Bind created to files - managed-keys.bind and
managed-keys.bind.jnl. So, I think I'm on the right track. That said, two
thin
project722 wrote:
>
> In my named.conf I changed:
>
> dnssec-validation yes;
>
> to
>
> dnssec-validation auto;
Good :-)
Next thing to do is delete all trace of managed-keys or mkeys files or
trusted-keys configuration, then restart `named`. It will automatically
create managed-keys files with t
Hey guys,
We received an email today about one of our recursive DNS servers that did
not support the new KSK for DNSSEC.
On 11 October 2018, ICANN will change or "roll over" the DNSSEC key
signing key (KSK) of the DNS root zone. Based on information from your
netw
9 matches
Mail list logo
