Re: Comments on Root Key Rollover impact on BIND users
Thomas Schulzwrote: > > I found that I had 'dnssec-enable yes' along with a managed-keys > statement with an initial-key. If I change to 'dnssec-enable auto' > do I still need a managed-keys statement? If not will it hurt to have > one? Can I have a managed-keys statement without an initial-key? You seem to have muddled up dnssec-enable and dnssec-validation. The default is "dnssec-enable yes". This enables support for the DO bit and correct RRSIG handling. It's usually best to omit the dnssec-enable option from your configuration file. The dnssec-validation option controls validation. The default is "no". If you set it to "yes" then you need to manually configure your trust anchors. If you set it to "auto" then you can omit any managed-keys configuration, and BIND will use its built-in defatult. It's usually best to set "dnssec-validation auto". A managed-keys clause without an initial key would be empty :-) Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fitzroy, Sole: Southwesterly, but cyclonic at first in northwest, 4 or 5, increasing 6 at times, then increasing 7 or perhaps gale 8 later. Moderate or rough, occasionally very rough later. Occasional rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Comments on Root Key Rollover impact on BIND users
In the following I ment to say 'dnssec-validation' instead of 'dnssec-enable'. > > https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin > > d-users/ > > > > Towards the end of the blog, there is a short list of possible corner > > cases that could trip people up during the rollover. If > > you folks can think of others, please do share them. > > I found a case where the documentation is not clear (at least to me). > > I found that I had 'dnssec-enable yes' along with a managed-keys > statement with an initial-key. If I change to 'dnssec-enable auto' > do I still need a managed-keys statement? If not will it hurt to have > one? Can I have a managed-keys statement without an initial-key? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Comments on Root Key Rollover impact on BIND users
> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin > d-users/ > > Towards the end of the blog, there is a short list of possible corner > cases that could trip people up during the rollover. If > you folks can think of others, please do share them. I found a case where the documentation is not clear (at least to me). I found that I had 'dnssec-enable yes' along with a managed-keys statement with an initial-key. If I change to 'dnssec-enable auto' do I still need a managed-keys statement? If not will it hurt to have one? Can I have a managed-keys statement without an initial-key? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users