root-anchor.xml & anchors.xml in Bind

[David Forrest]

On Sat, 17 Jul 2010, Lyle Giese wrote:

> OK I am confused a bit.  Can someone shed just a bit of light on this
> for me?  (This is such a new topic not much is available in searches yet)
>
> IANA put out anchors2keys python script and I have that working.  If I
> include the resulting files into named.conf as an include,
> named(9.7.1-P2) loads up but does not mention importing those keys, but
> complains loudly if the file asked for in the include statement is not
> there. That part is good, it appears to be reaching out and at least
> reading the file and knows it's there. But did it import that data and
> is named using it?  That is not answered quite so quickly.
>
> Now I read with great interest the thread here about how to use the
> root-anchor.xml.  Kalman Feher takes the root-anchor output from
> anchors2keys as a trusted-key and changes it to a managed-key and then
> imports into named's data.  Doing that results in named adding the . key
> into it's managed keys zone files and you can see them in the *.mkeys files.
>
> What is the difference between managed-keys and trusted-keys?
>
> And should I be importing anchors.xml as managed-keys instead of
> trusted-keys?
>
> Thanks,
> Lyle Giese
> LCR Computer Services, Inc.
>
Lyle,
To see what the named.conf actually is after all includes, I run this:
/usr/local/sbin/named-checkconf -p >/var/named/named.conf.canonical
and just browse the resulting output.

Dave
St. Louis, MO