[dns-operations] "KSK-2017" appears

Dick Visser dick.visser at geant.org
Wed Jul 12 13:22:24 UTC 2017

On 11 July 2017 at 15:06, Edward Lewis <edward.lewis at icann.org> wrote:
> $ dig . DNSKEY +dnssec @a.root-servers.net

I am somewhat confused about BIND9's 'dnssec-validation' option.
I read in various places that setting this to 'auto' will cause BIND
to fetch a new anchor using rc5011.
For instance https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/

"After it is running, BIND observes if there are new trust anchors
being introduced for the root, and downloads them and updates the
trust anchor database."

Does this happen in-memory?
At least I don't think any config files will be changed...?


Dick Visser
Sr. System & Network Engineer

Want to join us? We're hiring: https://www.geant.org/jobs

More information about the dns-operations mailing list