From Brian J. Atkisson of Red Hat IT:

In looking at
https://www.redhat.com/en/blog/what-you-need-know-about-first-ever-dnssec-root-key-rollover-october-11-2018,
I checked our IdM server's default named.conf:

options {
[...]
dnssec-enable yes;
dnssec-validation yes;
}

Per https://www.icann.org/dns-resolvers-checking-current-trust-anchors (url is not accessible now):

"First check that DNSSEC validation is set in your configuration file. You should see a line in the options section that says either dnssec-validation auto; or dnssec-validation yes;.

If your configuration shows dnssec-validation yes;, you must change it to dnssec-validation auto;
and restart your server before taking the steps
below."

Current URL for ICANN recommendations: https://www.icann.org/dns-resolvers-updating-latest-trust-anchor

I took a look at /var/named/dynamic/managed-keys.bind, which does contain both 20326 and 19036 keys. Things look fine for the rollover event, although I'm wondering about servers built after the rollover event given 'dnssec-validation yes' instead of 'dnssec-validation auto'

From abbra:
The key itself comes via bind package.

We have 'managed-keys' entry in the IPA-generated named.conf via inclusion of the /etc/named.root.key, so we should be OK with the rollover since our managed-keys entry has 20326 key already.

The scope of this ticket, therefore, is to handle transitioning to dnssec-validation auto from dnssec-validation yes after verifying that 20326 key is available.

We might want to update to 'dnssec-validation auto' to make it prepared
for the next key rollover, I think.