Evan/et.al.,
I've updated to 9.10.2, adjusted the timers, etc., and have managed to
follow the keyroll.systems test over night (a handful of key changes) plus
still get the desired AD bit.
With the timing in mind, I looked at my unbound (I realize this is BIND
users ;)) which wasn't keeping up
By default it dumps its output to a file; you can use `rndc secroots -`
to get output on stdout.
Using - to get it to dump the secroots output to stdout is a new
feature added for 9.11. That hasn't been published yet, but if you build
from the source tree at source.isc.org (like Tony does),
On 4/21/15, 10:15, Warren Kumari war...@kumari.net wrote:
From the ARM:
Sigh, RTFM...(My, BIND's gotten a lot more complicated/feature-rich since
I last read the docs.)
Hey, it's there.
smime.p7s
Description: S/MIME cryptographic signature
___
Edward Lewis edward.le...@icann.org wrote:
I have a suggestion - is there a way to query a BIND server for it's trust
anchor key set?
rndc secroots
(though this only provides the key tags not the public key data)
I say perhaps unnecessary because the information may be available on
disk
Edward Lewis edward.le...@icann.org wrote:
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
By default it dumps its output to a file; you can use `rndc secroots -`
to get output on stdout.
Tony.
--
f.anthony.n.finch d...@dotat.at
On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis edward.le...@icann.org wrote:
On 4/21/15, 9:45, Tony Finch d...@dotat.at wrote:
rndc secroots
You can also look in the .mkeys file.
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
(I had
On 4/21/15, 9:45, Tony Finch d...@dotat.at wrote:
rndc secroots
You can also look in the .mkeys file.
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
(I had my rndc port bumped out of sudo-land, so it's overridden:)
$ rndc -p 1953 -c
My lesson is - besides just working out the configuration - testing
RFC5011 takes more patience than just about any other feature of
DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have.
Yup. I learned that as well.
As a side note: can you imagine my surprise when, after
8 matches
Mail list logo
