From: Mark Andrews Date: Wed, 15 Feb 2017 01:54:45 +0000 (+1100) Subject: New DNSSEC Root Key X-Git-Tag: v9.9.9-P8~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4255b853e1066fcfed338bc78df78396fd10f3c2;p=thirdparty%2Fbind9.git New DNSSEC Root Key --- diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 4a637cf0530..a1c6cf268ef 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -62,6 +62,35 @@ +
New DNSSEC Root Key + + ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the managed-keys + statement, or if the pre-configured root key is enabled by using + dnssec-validation auto, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + trusted-keys statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using trusted-keys, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. + + + This release includes an updated version of the + bind.keys file containing the new root + key. This file can also be downloaded from + + https://www.isc.org/bind-keys + . + +
+
Security Fixes