Re: dns-root-data in Jessie LTS
Ping ? :) On 13/05/2019 21:14, Sylvain Beucler wrote: > Hi, > > AFAICS dns-root-data has no reverse-dependency in Jessie (I ran the > script in a more recent box and got confused). > Does it make sense to update it after all? > > bind9 ships 3 keys in /etc/bind/bind.keys with the comment "Servers > which were already using the old key (19036) should roll seamlessly to > this new one via RFC 5011 rollover" - hmm, so isn't this working as > intended? > > unbound doesn't seem to ship any key (I only see the old 19036 in > testdata/ in the source package). > However it populated /var/lib/unbound/root.key with 20326 on install. > > Cheers! > Sylvain > > On 13/05/2019 20:45, Ondřej Surý wrote: >> Hi Sylvain, >> >> I am actually not sure whether BIND 9 in Jessie already uses dns-root-data, >> so maybe same procedure will be needed for bind9 package. >> >> Could you perhaps also check unbound? >> >> This is the most probable cause of the weird traffic with old key that DNS >> Root Operators >> see at root servers. >> >> Just make sure it contains only the new DNSKEY (2017) and not both. >> >> Thanks, >> Ondrej >> -- >> Ondřej Surý >> ond...@isc.org >> >>> On 14 May 2019, at 01:38, Sylvain Beucler wrote: >>> >>> Hi, >>> >>> On 13/05/2019 05:43, Ondřej Surý wrote: could you please update dns-root-data package in Jessie LTS to latest version from Unstable/Stretch? >>> I'll backport it following dkg's stretch update. >>> >>> Besides setting up a bind9, anything we should test? >>> >>> Cheers! >>> Sylvain
Re: dns-root-data in Jessie LTS
Hi, AFAICS dns-root-data has no reverse-dependency in Jessie (I ran the script in a more recent box and got confused). Does it make sense to update it after all? bind9 ships 3 keys in /etc/bind/bind.keys with the comment "Servers which were already using the old key (19036) should roll seamlessly to this new one via RFC 5011 rollover" - hmm, so isn't this working as intended? unbound doesn't seem to ship any key (I only see the old 19036 in testdata/ in the source package). However it populated /var/lib/unbound/root.key with 20326 on install. Cheers! Sylvain On 13/05/2019 20:45, Ondřej Surý wrote: > Hi Sylvain, > > I am actually not sure whether BIND 9 in Jessie already uses dns-root-data, > so maybe same procedure will be needed for bind9 package. > > Could you perhaps also check unbound? > > This is the most probable cause of the weird traffic with old key that DNS > Root Operators > see at root servers. > > Just make sure it contains only the new DNSKEY (2017) and not both. > > Thanks, > Ondrej > -- > Ondřej Surý > ond...@isc.org > >> On 14 May 2019, at 01:38, Sylvain Beucler wrote: >> >> Hi, >> >> On 13/05/2019 05:43, Ondřej Surý wrote: >>> could you please update dns-root-data package in Jessie LTS to latest >>> version from Unstable/Stretch? >> I'll backport it following dkg's stretch update. >> >> Besides setting up a bind9, anything we should test? >> >> Cheers! >> Sylvain >>
Re: dns-root-data in Jessie LTS
Hi Sylvain, I am actually not sure whether BIND 9 in Jessie already uses dns-root-data, so maybe same procedure will be needed for bind9 package. Could you perhaps also check unbound? This is the most probable cause of the weird traffic with old key that DNS Root Operators see at root servers. Just make sure it contains only the new DNSKEY (2017) and not both. Thanks, Ondrej -- Ondřej Surý ond...@isc.org > On 14 May 2019, at 01:38, Sylvain Beucler wrote: > > Hi, > > On 13/05/2019 05:43, Ondřej Surý wrote: >> could you please update dns-root-data package in Jessie LTS to latest >> version from Unstable/Stretch? > > I'll backport it following dkg's stretch update. > > Besides setting up a bind9, anything we should test? > > Cheers! > Sylvain >
Re: dns-root-data in Jessie LTS
Hi, On 13/05/2019 05:43, Ondřej Surý wrote: > could you please update dns-root-data package in Jessie LTS to latest version > from Unstable/Stretch? I'll backport it following dkg's stretch update. Besides setting up a bind9, anything we should test? Cheers! Sylvain
