cant update 'cz'

Tony Finch dot at
Sun Sep 5 18:00:22 UTC 2010

On 30 Aug 2010, at 00:02, clemens at wrote:
> Can you either point me at the documentation I need to read, or 
> explain how to
>    'Add one for the root zone'

Have a look at:

Note that since you are using bind-9.6 you have to use a "trusted-keys" clause since it doesn't support "managed-keys" / RFC 5011. For the same reason bind-9.6 also does not support "dnssec-lookaside auto".

> No I havent done this, and I dont see anything for the root zone when
> I do the above, viz 'anchors2keys < anchors.xml > trusted.keys'.

The ITAR only contains TLD trust anchors, not the root trust anchor nor any for lower zones. Also, the root trust anchor is distributed in a different format to the ITAR so anchors2keys doesn't work on it (hence my blog post).

I recommend ignoring the ITAR (it is due to be eliminated now the root has been signed). Use dnssec-lookaside if you want to validate zones that lack a chain of trust from the root.

f.anthony.n.finch  <dot at>

More information about the bind-users mailing list