23 Bře
2026
23 Bře
'26
16:22
Hi Vladimir,
thank you! I'll include that.
I was hoping for a command to check if my running resolver really has
the keys.
E.g. unbound supports "dig @address trustanchor.unbound -c CH -t TXT",
bind has "rndc secroots"
Makes it relatively easy to know that everything is in order.
/Ulrich
Am 23.03.26 um 16:00 schrieb Vladimír Čunát:
On 20/03/2026 14.21, Ulrich Wisser via
knot-resolver-users wrote:
I am trying to make a small tutorial for
different resolvers on how
to check that the Root KSK is updated.
How can I check that for Knot resolver?
I wonder. We have an automatic check which should detect it and log a
warning during startup by default:
log_warn(ffi.C.LOG_GRP_TAUPDATE, 'you
need to update package with
trust anchors in "%s" before it breaks', file_name)
So maybe that's the best way. Knot Resolver is normally packaged to
either (1) use root trust anchors shipped with it - in which case
users should be fine unless using a rather old version (which will
have security issues anyway). As for the currently new KSK, we were
adding that in the 2024 Summer.
Or (2) it uses root trust anchors which have a separate package in
that distro (e.g. Debian and derivatives), in which case I really hope
that the distro packagers won't forget, especially when speaking of
long-term-supported distros (say Ubuntu 24.04).
--Vladimir