DNSSEC with 9.7.2-P2
Adam Tkac
atkac at redhat.com
Mon Nov 15 14:09:38 UTC 2010
On Sat, Nov 13, 2010 at 11:35:57AM +1100, Mark Andrews wrote:
>
> In message <4CDD6467.9050708 at imperial.ac.uk>, Phil Mayers writes:
> > On 12/11/10 15:45, Lightner, Jeff wrote:
> >
> > > For Production (RPM based system) you should use RHEL or CentOS which
> > > has a much longer life cycle. (Speaking of which, RHEL6 was just put in
> >
> > I don't agree with your line of reasoning. RHEL may have longer update
> > cycles, but there's no guarantee a particular RHEL install will be
> > applying updates in real-time, so the keys in the dnssec-conf package
> > may still get out of date, or a RHEL install may run after it's 5-year
> > update cycle ends.
> >
> > I think the dnssec-conf package should have had a nightly cron job to
> > refresh these keys, and it was a mistake to deploy without such.
> >
> > Just my opinion of course.
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> I use the following scripts (update-trusted-keys and commit-trusted-keys)
> to manage my trust anchors. I run update-trusted-keys nightly from cron
> and manually update when I get email that there has been a change.
>
> update-trusted-keys replaces the trust anchor when the tld gets a DS
> record added to the root zone. With no arguements it just updates the
> current list of zones listed is /etc/trusted-keys.
Isn't sufficient to configure the root trust anchor inside "managed-keys {};"
statement? If I understand correctly the key should be automatically
updated, shouldn't it?
Regards, Adam
--
Adam Tkac, Red Hat, Inc.
More information about the bind-users
mailing list