root zone initial key in bind.keys

Chris Thompson cet1 at
Wed Feb 23 16:37:31 UTC 2011

On Feb 23 2011, Matus UHLAR - fantomas wrote:

>after downloading and unpacking bind9.7.3, there's bind.keys file that
>contains this comment:
># This file also contains a copy of the trust anchor for the DNS root zone
># (".").  However, named does not use it; it is provided here for
># informational purposes only.  To switch on DNSSEC validation at the
># root, the root key below can be copied into named.conf.
>Does this still apply? Do I really have to copy the key for "." into
>bind.conf in order for it to be used and it's not managed automatically?
>Or did I misunderstand something here?

Experiment reveals that, *provided* you use "dnssec-lookaside auto;",
BIND uses both entries in the managed-keys statement in [prefix]/etc/bind.keys.

In fact, the documentation in the file is not consistent. Apart from
the bit you quote, there is also this 

 # ROOT KEY: See
 # for current trust anchor information.
 # NOTE: This key is activated by setting "dnssec-validation auto;"
 # in named.conf.

just before the root key itself, which contradicts the former (and appears
to be true!).

Personally, on production servers, I would rather not rely on what ISC
are doing with this file, but have my own managed-keys statement and
avoid "dnssec-lookaside auto;".

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list