subject:"Comments on Root Key Rollover impact on BIND users"

Re: Comments on Root Key Rollover impact on BIND users

2016-12-12 Thread Tony Finch

Thomas Schulz  wrote:
>
> I found that I had 'dnssec-enable yes' along with a managed-keys
> statement with an initial-key. If I change to 'dnssec-enable auto'
> do I still need a managed-keys statement? If not will it hurt to have
> one? Can I have a managed-keys statement without an initial-key?

You seem to have muddled up dnssec-enable and dnssec-validation.

The default is "dnssec-enable yes". This enables support for the DO bit
and correct RRSIG handling. It's usually best to omit the dnssec-enable
option from your configuration file.

The dnssec-validation option controls validation. The default is "no".
If you set it to "yes" then you need to manually configure your trust
anchors. If you set it to "auto" then you can omit any managed-keys
configuration, and BIND will use its built-in defatult. It's usually
best to set "dnssec-validation auto".

A managed-keys clause without an initial key would be empty :-)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Fitzroy, Sole: Southwesterly, but cyclonic at first in northwest, 4 or 5,
increasing 6 at times, then increasing 7 or perhaps gale 8 later. Moderate or
rough, occasionally very rough later. Occasional rain. Good, occasionally
poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comments on Root Key Rollover impact on BIND users

2016-12-12 Thread Thomas Schulz

In the following I ment to say 'dnssec-validation' instead of 'dnssec-enable'.

> > https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> > d-users/ 
> > 
> > Towards the end of the blog, there is a short list of possible corner
> > cases that could trip people up during the rollover.  If
> > you folks can think of others, please do share them.
> 
> I found a case where the documentation is not clear (at least to me).
> 
> I found that I had 'dnssec-enable yes' along with a managed-keys
> statement with an initial-key. If I change to 'dnssec-enable auto'
> do I still need a managed-keys statement? If not will it hurt to have
> one? Can I have a managed-keys statement without an initial-key?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comments on Root Key Rollover impact on BIND users

2016-12-12 Thread Thomas Schulz

> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bin
> d-users/ 
> 
> Towards the end of the blog, there is a short list of possible corner
> cases that could trip people up during the rollover.  If
> you folks can think of others, please do share them.

I found a case where the documentation is not clear (at least to me).

I found that I had 'dnssec-enable yes' along with a managed-keys
statement with an initial-key. If I change to 'dnssec-enable auto'
do I still need a managed-keys statement? If not will it hurt to have
one? Can I have a managed-keys statement without an initial-key?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Comments on Root Key Rollover impact on BIND users

2016-12-09 Thread Victoria Risk

You all are probably aware of the plans for rolling the root dnssec key in 
2017.  ICANN is trying to ensure this goes smoothly and we are of course 
looking for ways ISC can help.

There is a draft blog post on the topic of the 2017 Root Key Rollover, kind of 
hidden on ISC’s web site here: 
https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/
 

   We had to turn off comments on the web site because the spam was out of 
hand, but I welcome corrections, examples, or further suggestions from 
bind-users and will add them to the blog.

Towards the end of the blog, there is a short list of possible ‘corner cases’ 
that could trip people up during the rollover.  If you folks can think of 
others, please do share them.  ISC’s BIND test engineer, Curtis, is planning a 
thorough test of the BIND support for the root dnssec key rollover in 2017 Q1 
and he would appreciate any input into the test plan.

Please either post discussion here or unicast to vi...@isc.org 
 or c...@isc.org . 

Thank you,

Vicky Risk
Product Manager, isc.org



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Comments on Root Key Rollover impact on BIND users

Re: Comments on Root Key Rollover impact on BIND users

Re: Comments on Root Key Rollover impact on BIND users

Comments on Root Key Rollover impact on BIND users

4 matches

Site Navigation

Mail list logo

Footer information