[dns-operations] "KSK-2017" appears
Tony Finch
dot at dotat.at
Wed Jul 12 14:04:23 UTC 2017
Dick Visser <dick.visser at geant.org> wrote:
>
> https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/
>
> "After it is running, BIND observes if there are new trust anchors
> being introduced for the root, and downloads them and updates the
> trust anchor database."
>
> Does this happen in-memory?
There are "mkeys" (managed keys) file(s) maintained in BIND's working
directory which retain the RFC 5011 state. There is one for each view if
you have multiple views, plus a journal file for each one.
You can run `rndc secroots` to make BIND dump its trust anchor state into
the file "named.secroots" in its working directory.
For example, on one server I have provoked it to trust both current KSKs:
----------------------------------------
$ ls -la /var/run/bind/
total 73568
drwxrwsr-x 2 fanf2 named 4096 Jul 11 16:30 ./
drwxr-sr-x 11 fanf2 staff 4096 Aug 26 2016 ../
-rw-r--r-- 1 named named 1421 Jul 11 16:30 auth.mkeys
-rw-r--r-- 1 named named 3680 Jul 11 16:29 auth.mkeys.jnl
-rw-r--r-- 1 named named 74080256 Jul 12 14:53 dnstap
-rw-r--r-- 1 named named 117401 Jul 11 16:04 dnstap.0
-rw-r--r-- 1 named named 6 Jul 11 16:29 named.pid
-rw-r--r-- 1 named named 352 Jul 11 16:04 named.secroots
-rw-r--r-- 1 named named 74698 Apr 11 11:41 named.stats
-rw-r--r-- 1 named named 1011968 May 12 17:22 named_dump.db
-rw-r--r-- 1 named named 1421 Jul 11 16:30 rec.mkeys
-rw-r--r-- 1 named named 3680 Jul 11 16:29 rec.mkeys.jnl
-rw-r----- 1 named named 102 Jul 11 16:03 session.key
$ rndc secroots
$ cat /var/run/bind/named.secroots
secure roots as of 12-Jul-2017 13:55:02.279:
Start view bind
Secure roots:
Negative trust anchors:
Start view rec
Secure roots:
./RSASHA256/20326 ; managed
./RSASHA256/19036 ; managed
Negative trust anchors:
Start view auth
Secure roots:
./RSASHA256/20326 ; managed
./RSASHA256/19036 ; managed
Negative trust anchors:
----------------------------------------
On another server I am waiting to see how the RFC 5011 roll goes. There
are some differences in the filenames here, because there's an old unused
managed-keys file left over from before I introduced views, and the
per-view mkeys files have an old-style name which is the hash of the view
name.
----------------------------------------
$ ls -la
total 260044
drwxrwsr-x 3 named named 4096 Jul 12 14:53 ./
drwxr-xr-x 9 root root 4096 Jan 6 2015 ../
-rw-rw-r-- 1 named named 1421 Jul 12 12:26 0d6e4079e36703ebd37c00722f5891d28b0e2811dc114b129215123adcce3605.mkeys
-rw-rw-r-- 1 named named 512 Jul 12 12:26 0d6e4079e36703ebd37c00722f5891d28b0e2811dc114b129215123adcce3605.mkeys.jnl
-rw-rw-r-- 1 named named 1421 Jul 12 12:26 4caa06bd0e89b1695f9533cb586443232dad216ffd525dcc1a628c844b9e80a4.mkeys
-rw-rw-r-- 1 named named 512 Jul 12 12:26 4caa06bd0e89b1695f9533cb586443232dad216ffd525dcc1a628c844b9e80a4.mkeys.jnl
-rw-r--r-- 1 named named 1429 Feb 26 2016 managed-keys.bind
-rw-r--r-- 1 named named 512 Feb 26 2016 managed-keys.bind.jnl
-rw-r--r-- 1 named named 6 Jul 11 12:26 named.pid
-rw-r--r-- 1 named named 7586 Oct 31 2016 named.zones
-rw-r--r-- 1 named named 3198 Oct 31 2016 named.zones.in-view
drwxrwsr-x 2 named named 4096 Dec 17 2015 nsnotify2stealth/
-rw-r----- 1 named named 102 Jul 3 18:15 session.key
$ rndc secroots
$ cat named.secroots
secure roots as of 12-Jul-2017 14:55:37.926:
Start view main
Secure roots:
./RSASHA256/19036 ; managed
Negative trust anchors:
Start view unfiltered
Secure roots:
./RSASHA256/19036 ; managed
Negative trust anchors:
----------------------------------------
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Dogger: Northwest, backing southwest later, 4 or 5, occasionally 6 at first.
Slight or moderate. Fair. Good.
More information about the dns-operations
mailing list