Actually I have one more question just to make sure I'm not overlooking
anything for the KSK rollover. The instructions here:
https://www.icann.org/dns-resolvers-checking-current-trust-anchors
say that I need to, in addition to setting validation to "auto" run:
rndc secroots.
Well, I did that a
Thanks Tony! This was very helpful.
On Thu, Aug 23, 2018 at 8:01 AM Tony Finch wrote:
> project722 wrote:
> >
> > 1) I am still seeing the "no valid signature found" messages in my
> > bind.log.
>
> > ;; validating ncentral.teklinks.com/A: no valid signature found
>
> In this case that's becaus
project722 wrote:
>
> 1) I am still seeing the "no valid signature found" messages in my
> bind.log.
> ;; validating ncentral.teklinks.com/A: no valid signature found
In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run de
Hi Tony,
I've removed the config for managed keys out of my named.conf, moved any
files called bind.keys out from my named working directory, and restarted
Bind. I see where Bind created to files - managed-keys.bind and
managed-keys.bind.jnl. So, I think I'm on the right track. That said, two
thin
project722 wrote:
>
> In my named.conf I changed:
>
> dnssec-validation yes;
>
> to
>
> dnssec-validation auto;
Good :-)
Next thing to do is delete all trace of managed-keys or mkeys files or
trusted-keys configuration, then restart `named`. It will automatically
create managed-keys files with t
5 matches
Mail list logo
