[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

Anand Buddhdev anandb at ripe.net
Fri Feb 5 13:24:41 UTC 2010

[Apologies for duplicates]

Dear Colleagues,

We have discovered that recent versions of the Fedora Linux distribution
are shipping with a package called "dnssec-conf", which contains the
RIPE NCC's DNSSEC trust anchors. This package is installed by default as
a dependency of BIND, and it configures BIND to do DNSSEC validation.

Unfortunately, the current version of this package (1.21) is outdated
and contains old trust anchors.

On 16 December 2009, we had a key roll-over event, where we removed the
old Key-Signing Keys (KSKs). From that time, BIND resolvers running on
Fedora Linux distributions could not validate any signed responses in
the RIPE NCC's reverse zones.

If you are running Fedora Linux with the standard BIND package, please
edit the file "/etc/pki/dnssec-keys//named.dnssec.keys", and comment out
all the lines in it containing the directory path "production/reverse".
Then restart BIND.

This will stop BIND from using the outdated trust anchors. If you do
want to use the RIPE NCC's trust anchors to validate our signed zones,
we recommend that you fetch the latest trust anchor file from our
website and reconfigure BIND to use it instead of the ones distributed
in the dnssec-conf package:


Please remember to check frequently for updates to our trust anchor
file, as we introduce new Key-Signing Keys (KSKs) every 6 months.


Anand Buddhdev,
DNS Services Manager, RIPE NCC

More information about the dns-operations mailing list