On Sat, Nov 13, 2010 at 11:35:57AM +1100, Mark Andrews wrote: > > In message <4cdd6467.9050...@imperial.ac.uk>, Phil Mayers writes: > > On 12/11/10 15:45, Lightner, Jeff wrote: > > > > > For Production (RPM based system) you should use RHEL or CentOS which > > > has a much longer life cycle. (Speaking of which, RHEL6 was just put in > > > > I don't agree with your line of reasoning. RHEL may have longer update > > cycles, but there's no guarantee a particular RHEL install will be > > applying updates in real-time, so the keys in the dnssec-conf package > > may still get out of date, or a RHEL install may run after it's 5-year > > update cycle ends. > > > > I think the dnssec-conf package should have had a nightly cron job to > > refresh these keys, and it was a mistake to deploy without such. > > > > Just my opinion of course. > > _______________________________________________ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > I use the following scripts (update-trusted-keys and commit-trusted-keys) > to manage my trust anchors. I run update-trusted-keys nightly from cron > and manually update when I get email that there has been a change. > > update-trusted-keys replaces the trust anchor when the tld gets a DS > record added to the root zone. With no arguements it just updates the > current list of zones listed is /etc/trusted-keys.
Isn't sufficient to configure the root trust anchor inside "managed-keys {};" statement? If I understand correctly the key should be automatically updated, shouldn't it? Regards, Adam -- Adam Tkac, Red Hat, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users