From 59f34c1fc775bf1817c49f5b4a121285f9608efc Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 4 Feb 2017 22:15:30 -0800 Subject: [PATCH] [v9_11] release note about new root key --- doc/arm/notes.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index cc7e6ff6f3..e1c2e5d726 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -33,6 +33,35 @@ +
New DNSSEC Root Key + + ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the managed-keys + statement, or if the pre-configured root key is enabled by using + dnssec-validation auto, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + trusted-keys statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using trusted-keys, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. + + + This release includes an updated version of the + bind.keys file containing the new root + key. This file can also be downloaded from + + https://www.isc.org/bind-keys + . + +
+
License Change With the release of BIND 9.11.0, ISC changed to the open