[Yeti DNS Discuss] 答复: Yeti KSK roll status

Davey Song(宋林健) ljsong at biigroup.cn
Fri May 12 06:57:26 UTC 2017

Now the revoked KSK is remove from the root zone. By definition the Revoked
key is not necessary to stay in the zone for the whole remove hold-on timer.
So we shorten the duration in which revoked key is in the zone to reduce the
response size of DNSKEY response.


Now BIND9 resolver show “remove pengding” and unbound show “revoked”



发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 dbgong
发送时间: 2017年5月3日 17:14
收件人: discuss
主题: [Yeti DNS Discuss] Yeti KSK roll status


Hi Folks, 


The old Yeti  KSK(19444) have been revoked, and it will take effect at next
serial number(2017050300)

 If you are running a yeti resolver, please check the state of KSK in the


* For unbound:

cat yeti.key



* For BIND 9:

cd /path/to/managed-key-dir/

cat $(ls -t *.mkeys|head -1) # find the latest managed keys

or  cat managed-keys.bind



* For Knot (provide by Stephane Bortzmeyer): 


cat /etc/kresd/yeti-root.keys


# socat - UNIX-CONNECT:/tmp/kresd/tty/$(pidof kresd)

> trust_anchors.keyset()

[string "return table_print(trust_anchors.keyset())"]:1: attempt to call
field 'keyset' (a table value)

> trust_anchors.keyset





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20170512/3dff7c5e/attachment.html>

More information about the discuss mailing list