Content-Disposition: inline
content-type: text/plain; charset="utf-8"
References: <RT-Ticket-43670@isc.org> <rt-4.2.8-6373-1479354393-838.43670-4-0@isc.org> <rt-4.4.1-88210-1518133259-338.43670-4-0@isc.org>
X-RT-Original-Encoding: utf-8
To: "Mark Andrews via RT" <bind9-confidential@isc.org>
In-Reply-To: <rt-4.4.1-88210-1518133259-338.43670-4-0@isc.org>
Subject: Re: [ISC-Bugs #43670] Warn on seeing trusted-keys option in config
MIME-Version: 1.0
CC: 
Date: Fri, 9 Feb 2018 00:22:07 +0000
From: "Evan Hunt" <each@isc.org>
From each@isc.org  Fri Feb  9 00:22:08 2018
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Original-To: bind9-confidential@bugs.isc.org
Delivered-To: bind9-confidential@bugs.isc.org
Message-ID: <20180209002207.GA87529@isc.org>
Return-Path: <each@isc.org>
X-RT-Incoming-Encryption: Not encrypted
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id BBC2FD78B0E for <bind9-confidential@bugs.isc.org>; Fri,  9 Feb 2018 00:22:07 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 549B1216C1C; Fri,  9 Feb 2018 00:22:07 +0000 (UTC)
X-RT-Interface: Email
RT-Message-ID: <rt-4.4.1-88210-1518135729-1427.43670-0-0@isc.org>
Content-Length: 363

> ready for review

I think it might be a good idea for KSK2010 trusted-key, without any other
keys, to be fatal instead of a warning.  As a managed-key can be a warning.
Maybe add a suggestion to remove it from named.conf and rely on bind.keys?

I would consider being more verbose in the DLV warnings and saying ISC DLV
is shut down.

The code itself is fine.