[Yeti DNS Discuss] 答复: Yeti KSK roll status

Davey Song(宋林健) ljsong at biigroup.cn
Fri May 12 06:57:26 UTC 2017


Now the revoked KSK is remove from the root zone. By definition the Revoked
key is not necessary to stay in the zone for the whole remove hold-on timer.
So we shorten the duration in which revoked key is in the zone to reduce the
response size of DNSKEY response.

 

Now BIND9 resolver show “remove pengding” and unbound show “revoked”

 

Davey

发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 dbgong
发送时间: 2017年5月3日 17:14
收件人: discuss
主题: [Yeti DNS Discuss] Yeti KSK roll status

 

Hi Folks, 

 

The old Yeti  KSK(19444) have been revoked, and it will take effect at next
serial number(2017050300)

 If you are running a yeti resolver, please check the state of KSK in the
resolver.

 

* For unbound:

cat yeti.key

 

 

* For BIND 9:

cd /path/to/managed-key-dir/

cat $(ls -t *.mkeys|head -1) # find the latest managed keys

or  cat managed-keys.bind

 

 

* For Knot (provide by Stephane Bortzmeyer): 

 

cat /etc/kresd/yeti-root.keys

 

# socat - UNIX-CONNECT:/tmp/kresd/tty/$(pidof kresd)

> trust_anchors.keyset()

[string "return table_print(trust_anchors.keyset())"]:1: attempt to call
field 'keyset' (a table value)

> trust_anchors.keyset

 

Regards,

--

Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20170512/3dff7c5e/attachment.html>


More information about the discuss mailing list