> From: clem...@dwf.com > Date: Sun, 29 Aug 2010 17:02:29 -0600 > Sender: bind-users-bounces+oberman=es....@lists.isc.org > > > On Aug 28 2010, clem...@dwf.com wrote: > > > > >I am getting the message: > > > cz DNSKEY: please check the 'trusted-keys' for 'cz' in named.conf. > > > > > >And in the past this has meant that something needed to be updated. > > > > > >However, when I pull 'anchors.xml' and run anchors2keys < anchors.xml > > > >trusted.keys > > > > > >there is no entry for 'cz'. > > > > > >What should I be doing??? > > > > Remove your trust anchor for "cz". > > Add one for the root zone (if you haven't done so already). > > > > "cz" has switched from RSASHA1/NSEC to RSASHA512/NSEC3, had a DS record > > for it added to the root zone, and has been removed from the ITAR. It's > > actually been gone from the ITAR for at least a couple of weeks: if > > you are generating trust anchors from the ITAR you need to fetch and > > reprocess it (much) more often. Things are changing very fast now that > > the root zone is signed. > > > Sorry to appear a bit dense, but I haven't read thru the bind documentation > in years, and I really dont know anything about these new features. > > Can you either point me at the documentation I need to read, or > explain how to > > 'Add one for the root zone' > > No I havent done this, and I dont see anything for the root zone when > I do the above, viz 'anchors2keys < anchors.xml > trusted.keys'. > > I know this is all in a state of flux, and things are probably in a state of > flux, but Im running bind 9.6.2 from Fedora 11.
You can get the root key lots of places. Obviously it is best to get it from somewhere you trust. ISC has it in BIND format, which is nice if you trust it. ICANN is the obvious place to go, but I don't believe the format ICANN publishes in is compatible with anchors2keys. The XML schema is different from that of the ITAR. Not that it is all that hard to figure out. I will confirm that the ISC published key matches the one ICANN has, but I wouldn't believe me on that, so confirm it yourself. Once you get the key, drop it into 'trusted-keys' or 'managed-keys' as appropriate to your version of BIND. The entry should start ""." 257 3 8" followed by the ASCII armored key in quotation marks. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
