ルートゾーンKSK/日本では/named.confについて、ここに記述してください。

Contents

  1. Authoritative
  2. resolver
  3. ISC
  4. In summary

以下のオプションがどういう効果を持つかは知らない。-- ToshinoriMaeno 2017-07-26 06:20:07

1. Authoritative

How To Setup DNSSEC on an Authoritative BIND DNS Server

Enable DNSSEC by adding the following configuration directives inside options{ } 

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

2. resolver

3. ISC

DNSSECを使っていないケースには影響はない、と書かれてしる。

2017 Root Key Rollover – What Does it Mean for BIND Users? https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/

Executive summary 

If you manage a DNS resolver, you may need to take action in 2017 due to the upcoming root key rollover.
    If you use BIND with “managed-keys” for the root zone or “dnssec-validation auto”, there is low risk.
    If you use BIND with “trusted-keys” for the root zone, you need to update your configuration.
    Anyone setting up a new BIND instance around the time of the root key rollover will need to pay careful attention, to ensure their system is able to initialize properly.
    Organizations repackaging or redistributing BIND will need to update their distributions in 2017 to ensure any new installations that happen during or after October 2017 include the new key.

There are some risks in all configurations, discussed below.

4. In summary

    If you are running authoritative services with BIND, or a resolver that is not doing DNSSEC-validation, you should not see an impact.

    If are running a BIND validating resolver using managed-keys, relax, you should be fine. If you are curious, check for the new key in your managed-keys BIND instance after July, 2017.

    If you are running a BIND validating resolver using trusted-keys and you can upgrade to managed-keys, do so now, before the root key rollover