> On Aug 28 2010, clem...@dwf.com wrote:
>
> >I am getting the message:
> > cz DNSKEY: please check the 'trusted-keys' for 'cz' in named.conf.
> >
> >And in the past this has meant that something needed to be updated.
> >
> >However, when I pull 'anchors.xml' and run anchors2keys < anchors.xml >
> >trusted.keys
> >
> >there is no entry for 'cz'.
> >
> >What should I be doing???
>
> Remove your trust anchor for "cz".
> Add one for the root zone (if you haven't done so already).
>
> "cz" has switched from RSASHA1/NSEC to RSASHA512/NSEC3, had a DS record
> for it added to the root zone, and has been removed from the ITAR. It's
> actually been gone from the ITAR for at least a couple of weeks: if
> you are generating trust anchors from the ITAR you need to fetch and
> reprocess it (much) more often. Things are changing very fast now that
> the root zone is signed.
>
Sorry to appear a bit dense, but I haven't read thru the bind documentation
in years, and I really dont know anything about these new features.
Can you either point me at the documentation I need to read, or
explain how to
'Add one for the root zone'
No I havent done this, and I dont see anything for the root zone when
I do the above, viz 'anchors2keys < anchors.xml > trusted.keys'.
I know this is all in a state of flux, and things are probably in a state of
flux, but Im running bind 9.6.2 from Fedora 11.
--
Reg.Clemens
r...@dwf.com
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
