Testing RFC 5011 key roll

Warren Kumari warren at kumari.net
Tue Apr 21 14:15:10 UTC 2015 

On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis <edward.lewis at icann.org> wrote:
> On 4/21/15, 9:45, "Tony Finch" <dot at dotat.at> wrote:
>>rndc secroots
>>
>>You can also look in the .mkeys file.
>
> I tried secroots with my set up, I got nothing despite the mkeys file.
> (Kind of asking - does that work?):
>
> (I had my rndc port bumped out of sudo-land, so it's overridden:)
>
> $ rndc -p 1953 -c rndc.conf secroots


>From the ARM:
secroots-file:
The pathname of the file the server dumps security roots to when
instructed to do so with rndc secroots. If not specified, the default
is named.secroots.

root at eric:/var/named# rndc secroots
root at eric:/var/named# more named.secroots
21-Apr-2015 10:07:02.278

 Start view external

./RSASHA256/19036 ; managed
dlv.isc.org/RSASHA1/19297 ; trusted

W




>
> $
>
> $ cat
> 21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys
> $ORIGIN .
> $TTL 0  ; 0 seconds
> @                       IN SOA  . . (
>                                 879        ; serial
>                                 0          ; refresh (0 seconds)
>                                 0          ; retry (0 seconds)
>                                 0          ; expire (0 seconds)
>                                 0          ; minimum (0 seconds)
>                                 )
>                         KEYDATA 20150421135415 20150421125042 19700101000000 257 3 8 (
>                                 AwEAAb7pfymUZ3LzR7ldtJ5fvgxxu/Y4I7QtBmlqlhJS
>                                 Je6Ugw+/72eYAnLYh7xHaNkAzjP6oi1rxOL0s9wj7TVU
>                                 +r9bK+KuzOvZfKzNS+ywTdZ0QXSJSJNTLJfgaMMvnyp/
>                                 K2LajQ4wNV1UblSqPPs9FdCXqVbxKF7i4j6h6QO61xkf
>                                 s2LSkiPu+TCK05fizdfuDIit8KlQr6sgV1jiBrXm4kmY
>                                 5o9txePRz8oy/C4+6IDVtA1zSlDTvsbwYk1KjHa9CXcA
>                                 7BkuYaBlxB4zgBF/koaX55IdhbKKkwsN8qJhPanu72zq
>                                 2933IF96RtikjvX/ugC7VBvNlGgy5dQrvKu/G7M=
>                                 ) ; KSK; alg = RSASHA256; key id = 26512
>                                 ; next refresh: Tue, 21 Apr 2015 13:54:15 GMT
>                                 ; trusted since: Tue, 21 Apr 2015 12:50:42 GMT
>                         KEYDATA 20150421135415 20150421135145 19700101000000 257 3 8 (
>                                 AwEAAeHrxs5uJwldPTjAplgBzGRptPYrFgNFoPZDyrEa
>                                 CAuNckUuHkQIMr5Pkv/XONS2CLcLmq5HtvLPzevkAjWv
>                                 wIMhYn0nE4fTTl8diTnOFKLEcPBs/jAqKU5n/ZV5ZXiP
>                                 NCUgg3qvXetntojb+JesE9fdYgUlWrgIUjx9y17Fhb+J
>                                 lP56kqhxER2L0AUEFTH+x/Jxkzea6E8FFkYGUJ+tzEt0
>                                 S+ESRaDTNmdKgqe9GAi6ID3GRYgsn9cgNIOmBYHrzhQv
>                                 R5XaTK37nUlVMKjyQxu2Lq+lhIu9348aSt+g42QJxJ1s
>                                 VTRPVPEVQt1s71SHuWTd/OBCz5f8fZqQrG0mA9E=
>                                 ) ; KSK; alg = RSASHA256; key id = 8869
>                                 ; next refresh: Tue, 21 Apr 2015 13:54:15 GMT
>                                 ; trusted since: Tue, 21 Apr 2015 13:51:45 GMT
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

More information about the bind-users mailing list