Re: Comments on Root Key Rollover impact on BIND users

[Tony Finch]

Thomas Schulz  wrote:
>
> I found that I had 'dnssec-enable yes' along with a managed-keys
> statement with an initial-key. If I change to 'dnssec-enable auto'
> do I still need a managed-keys statement? If not will it hurt to have
> one? Can I have a managed-keys statement without an initial-key?

You seem to have muddled up dnssec-enable and dnssec-validation.

The default is "dnssec-enable yes". This enables support for the DO bit
and correct RRSIG handling. It's usually best to omit the dnssec-enable
option from your configuration file.

The dnssec-validation option controls validation. The default is "no".
If you set it to "yes" then you need to manually configure your trust
anchors. If you set it to "auto" then you can omit any managed-keys
configuration, and BIND will use its built-in defatult. It's usually
best to set "dnssec-validation auto".

A managed-keys clause without an initial key would be empty :-)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fitzroy, Sole: Southwesterly, but cyclonic at first in northwest, 4 or 5,
increasing 6 at times, then increasing 7 or perhaps gale 8 later. Moderate or
rough, occasionally very rough later. Occasional rain. Good, occasionally
poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comments on Root Key Rollover impact on BIND users

[Thomas Schulz]

In the following I ment to say 'dnssec-validation' instead of 'dnssec-enable'.

> > https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> > d-users/ 
> > 
> > Towards the end of the blog, there is a short list of possible corner
> > cases that could trip people up during the rollover.  If
> > you folks can think of others, please do share them.
> 
> I found a case where the documentation is not clear (at least to me).
> 
> I found that I had 'dnssec-enable yes' along with a managed-keys
> statement with an initial-key. If I change to 'dnssec-enable auto'
> do I still need a managed-keys statement? If not will it hurt to have
> one? Can I have a managed-keys statement without an initial-key?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comments on Root Key Rollover impact on BIND users

[Thomas Schulz]

> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> d-users/ 
> 
> Towards the end of the blog, there is a short list of possible corner
> cases that could trip people up during the rollover.  If
> you folks can think of others, please do share them.

I found a case where the documentation is not clear (at least to me).

I found that I had 'dnssec-enable yes' along with a managed-keys
statement with an initial-key. If I change to 'dnssec-enable auto'
do I still need a managed-keys statement? If not will it hurt to have
one? Can I have a managed-keys statement without an initial-key?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users