In message <20101115140938.ga17...@evileye.atkac.brq.redhat.com>, Adam Tkac wri tes: > On Sat, Nov 13, 2010 at 11:35:57AM +1100, Mark Andrews wrote: > > > > In message <4cdd6467.9050...@imperial.ac.uk>, Phil Mayers writes: > > > On 12/11/10 15:45, Lightner, Jeff wrote: > > > > > > > For Production (RPM based system) you should use RHEL or CentOS which > > > > has a much longer life cycle. (Speaking of which, RHEL6 was just put i > n > > > > > > I don't agree with your line of reasoning. RHEL may have longer update > > > cycles, but there's no guarantee a particular RHEL install will be > > > applying updates in real-time, so the keys in the dnssec-conf package > > > may still get out of date, or a RHEL install may run after it's 5-year > > > update cycle ends. > > > > > > I think the dnssec-conf package should have had a nightly cron job to > > > refresh these keys, and it was a mistake to deploy without such. > > > > > > Just my opinion of course. > > > _______________________________________________ > > > bind-users mailing list > > > bind-users@lists.isc.org > > > https://lists.isc.org/mailman/listinfo/bind-users > > > > I use the following scripts (update-trusted-keys and commit-trusted-keys) > > to manage my trust anchors. I run update-trusted-keys nightly from cron > > and manually update when I get email that there has been a change. > > > > update-trusted-keys replaces the trust anchor when the tld gets a DS > > record added to the root zone. With no arguements it just updates the > > current list of zones listed is /etc/trusted-keys. > > Isn't sufficient to configure the root trust anchor inside "managed-keys {};" > statement? If I understand correctly the key should be automatically > updated, shouldn't it?
For 9.7 yes. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
