On Fri, Feb 05, 2010 at 06:22:26AM -0800, Alan Clegg wrote: > I find this important enough to forward on to bind-users. > > Please not the importance of trust anchor management.
We (= me and Paul Wouters) are working on dnssec-conf update. Sorry for troubles. Regards, Adam > Date: Fri, 05 Feb 2010 14:25:10 +0100 > From: Anand Buddhdev <ana...@ripe.net> > To: dnssec-deploym...@dnssec-deployment.org > Subject: [Dnssec-deployment] Outdated RIPE NCC Trust Anchors in Fedora > Linux Repositories > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; > rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 > > [Apologies for duplicates] > > Dear Colleagues, > > We have discovered that recent versions of the Fedora Linux distribution > are shipping with a package called "dnssec-conf", which contains the > RIPE NCC's DNSSEC trust anchors. This package is installed by default as > a dependency of BIND, and it configures BIND to do DNSSEC validation. > > Unfortunately, the current version of this package (1.21) is outdated > and contains old trust anchors. > > On 16 December 2009, we had a key roll-over event, where we removed the > old Key-Signing Keys (KSKs). From that time, BIND resolvers running on > Fedora Linux distributions could not validate any signed responses in > the RIPE NCC's reverse zones. > > If you are running Fedora Linux with the standard BIND package, please > edit the file "/etc/pki/dnssec-keys//named.dnssec.keys", and comment out > all the lines in it containing the directory path "production/reverse". > Then restart BIND. > > This will stop BIND from using the outdated trust anchors. If you do > want to use the RIPE NCC's trust anchors to validate our signed zones, > we recommend that you fetch the latest trust anchor file from our > website and reconfigure BIND to use it instead of the ones distributed > in the dnssec-conf package: > > https://www.ripe.net/projects/disi/keys/index.html > > Please remember to check frequently for updates to our trust anchor > file, as we introduce new Key-Signing Keys (KSKs) every 6 months. > > Regards, > > Anand Buddhdev, > DNS Services Manager, RIPE NCC -- Adam Tkac, Red Hat, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
