See: https://www.icann.org/resources/pages/ksk-rollover
This may affect everybody who runs a recursive resolver. In case only the old key (id 19036) is present, DNS requests to the root zone would fail starting on said date. Our resolvers need to know the new key (id 20326) as well.
I cannot tell anything for Bind. For Unbound, we may want to check, that in unbound.conf(5) the setting auto-trust-anchor-file is defined - here it is:
And in addition, that /var/unbound/root.key really lists both keys as valid, i.e. the new and the old one:
This may affect everybody who runs a recursive resolver. In case only the old key (id 19036) is present, DNS requests to the root zone would fail starting on said date. Our resolvers need to know the new key (id 20326) as well.
I cannot tell anything for Bind. For Unbound, we may want to check, that in unbound.conf(5) the setting auto-trust-anchor-file is defined - here it is:
Code:
...
auto-trust-anchor-file: /var/unbound/root.key
...
And in addition, that /var/unbound/root.key really lists both keys as valid, i.e. the new and the old one:
Code:
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1538658969 ;;Thu Oct 4 10:16:09 2018
;;last_success: 1538658969 ;;Thu Oct 4 10:16:09 2018
;;next_probe_time: 1538698557 ;;Thu Oct 4 21:15:57 2018
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1511246394 ;;Tue Nov 21 04:39:54 2017
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1508640056 ;;Sun Oct 22 00:40:56 2017