BIND 9.11.1-P2 - New DNSSEC Root Key

wattie

wattie

Verified User
Joined
May 31, 2008
Messages
1,235
Location
Bulgaria
It fixes security vulnerabilities and adds the following:

Code: 
New DNSSEC Root Key

   ICANN is in the process of introducing a new Key Signing Key (KSK) for
   the global root zone. BIND has multiple methods for managing DNSSEC
   trust anchors, with somewhat different behaviors. If the root key is
   configured using the managed-keys statement, or if the pre-configured
   root key is enabled by using dnssec-validation auto, then BIND can keep
   keys up to date automatically. Servers configured in this way will roll
   seamlessly to the new key when it is published in the root zone.
   However, keys configured using the trusted-keys statement are not
   automatically maintained. If your server is performing DNSSEC
   validation and is configured using trusted-keys, you are advised to
   change your configuration before the root zone begins signing with the
   new KSK. This is currently scheduled for October 11, 2017.

   This release includes an updated version of the bind.keys file
   containing the new root key. This file can also be downloaded from
   https://www.isc.org/bind-keys .

Is DirectAdmin affected and is there anything that we should do about it?

https://lists.isc.org/pipermail/bind-announce/2017-June/001052.html
 
Is DirectAdmin affected and is there anything that we should do about it?
Click to expand...
No, because Bind is not provided by Directadmin, it's amongst the things you have to preinstall.

So to update bind, just use the update system of the os like apt-get for Debian like and yum for Centos/Redhat/Fedora when the update comes available for your OS.

There might be somethingn for directadmin for when creating domains, not sure about that. But that would be an action for DA, not for us I guess.
 
Im no DNSSEC expert. But looking at this:

If your server is performing DNSSEC
validation and is configured using trusted-keys, you are advised to
change your configuration before the root zone begins signing with the
new KSK. This is currently scheduled for October 11, 2017.
Click to expand...

It means that this is for when you are using BIND as a dns server for clients to resolve any domain. Because then it can check if the DNSSEC of a domain is valid, based on root keys it has locally.

When talking about DA environments DNSSEC is only used to sign your own domains which should be unrelated to root keys.
 
You must log in or register to reply here.
Back
Top