Hi, AFAICS dns-root-data has no reverse-dependency in Jessie (I ran the script in a more recent box and got confused). Does it make sense to update it after all?
bind9 ships 3 keys in /etc/bind/bind.keys with the comment "Servers which were already using the old key (19036) should roll seamlessly to this new one via RFC 5011 rollover" - hmm, so isn't this working as intended? unbound doesn't seem to ship any key (I only see the old 19036 in testdata/ in the source package). However it populated /var/lib/unbound/root.key with 20326 on install. Cheers! Sylvain On 13/05/2019 20:45, Ondřej Surý wrote: > Hi Sylvain, > > I am actually not sure whether BIND 9 in Jessie already uses dns-root-data, > so maybe same procedure will be needed for bind9 package. > > Could you perhaps also check unbound? > > This is the most probable cause of the weird traffic with old key that DNS > Root Operators > see at root servers. > > Just make sure it contains only the new DNSKEY (2017) and not both. > > Thanks, > Ondrej > -- > Ondřej Surý > ond...@isc.org > >> On 14 May 2019, at 01:38, Sylvain Beucler <b...@beuc.net> wrote: >> >> Hi, >> >> On 13/05/2019 05:43, Ondřej Surý wrote: >>> could you please update dns-root-data package in Jessie LTS to latest >>> version from Unstable/Stretch? >> I'll backport it following dkg's stretch update. >> >> Besides setting up a bind9, anything we should test? >> >> Cheers! >> Sylvain >>