In message <[email protected]>, Adam Tkac wri tes: > On Sat, Nov 13, 2010 at 11:35:57AM +1100, Mark Andrews wrote: > > > > In message <[email protected]>, Phil Mayers writes: > > > On 12/11/10 15:45, Lightner, Jeff wrote: > > > > > > > For Production (RPM based system) you should use RHEL or CentOS which > > > > has a much longer life cycle. (Speaking of which, RHEL6 was just put i > n > > > > > > I don't agree with your line of reasoning. RHEL may have longer update > > > cycles, but there's no guarantee a particular RHEL install will be > > > applying updates in real-time, so the keys in the dnssec-conf package > > > may still get out of date, or a RHEL install may run after it's 5-year > > > update cycle ends. > > > > > > I think the dnssec-conf package should have had a nightly cron job to > > > refresh these keys, and it was a mistake to deploy without such. > > > > > > Just my opinion of course. > > > _______________________________________________ > > > bind-users mailing list > > > [email protected] > > > https://lists.isc.org/mailman/listinfo/bind-users > > > > I use the following scripts (update-trusted-keys and commit-trusted-keys) > > to manage my trust anchors. I run update-trusted-keys nightly from cron > > and manually update when I get email that there has been a change. > > > > update-trusted-keys replaces the trust anchor when the tld gets a DS > > record added to the root zone. With no arguements it just updates the > > current list of zones listed is /etc/trusted-keys. > > Isn't sufficient to configure the root trust anchor inside "managed-keys {};" > statement? If I understand correctly the key should be automatically > updated, shouldn't it?
For 9.7 yes. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
