ルートゾーンKSK/ISC-BINDについて、ここに記述してください。

2017 Root Key Rollover – What Does it Mean for BIND Users?

https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/

1. Executive summary

If you manage a DNS resolver, you may need to take action in 2017 due to the upcoming root key rollover.

    If you use BIND with “managed-keys” for the root zone or “dnssec-validation auto”, there is low risk.
    If you use BIND with “trusted-keys” for the root zone, you need to update your configuration.
    Anyone setting up a new BIND instance around the time of the root key rollover will need to pay careful attention, to ensure their system is able to initialize properly.
    Organizations repackaging or redistributing BIND will need to update their distributions in 2017 to ensure any new installations that happen during or after October 2017 include the new key.

There are some risks in all configurations, discussed below

Impact of Changing the DNSSEC Root Key

No Impact on Authoritative Publishers

If you are managing an authoritative BIND system, the root key rollover should not have any impact on your operations. It would still be wise to be aware of the timing of the rollover, particularly if you are signing your zones.

2. In summary

    If you are running authoritative services with BIND, or a resolver that is not doing DNSSEC-validation, you should not see an impact.

    If are running a BIND validating resolver using managed-keys, relax, you should be fine. If you are curious, check for the new key in your managed-keys BIND instance after July, 2017.

    If you are running a BIND validating resolver using trusted-keys and you can upgrade to managed-keys, do so now, before the root key rollover

-- ToshinoriMaeno 2017-07-27 14:37:48 ISC will be releasing updated versions of BIND in 2017 that incorporate the new key. At this time, the new key is not yet ready to be published. ISC will be able to begin introducing the new key in BIND at some point after the successful completion of the next key ceremony, currently planned for February 2, 2017. Anyone providing re-packaged versions of BIND should plan to update their distributions in Q1 or Q2 of 2017. Older versions of BIND, for example in older operating system releases, must also be updated.