root zone initial key in bind.keys
cet1 at cam.ac.uk
Wed Feb 23 16:37:31 UTC 2011
On Feb 23 2011, Matus UHLAR - fantomas wrote:
>after downloading and unpacking bind9.7.3, there's bind.keys file that
>contains this comment:
># This file also contains a copy of the trust anchor for the DNS root zone
># ("."). However, named does not use it; it is provided here for
># informational purposes only. To switch on DNSSEC validation at the
># root, the root key below can be copied into named.conf.
>Does this still apply? Do I really have to copy the key for "." into
>bind.conf in order for it to be used and it's not managed automatically?
>Or did I misunderstand something here?
Experiment reveals that, *provided* you use "dnssec-lookaside auto;",
BIND uses both entries in the managed-keys statement in [prefix]/etc/bind.keys.
In fact, the documentation in the file is not consistent. Apart from
the bit you quote, there is also this
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
just before the root key itself, which contradicts the former (and appears
to be true!).
Personally, on production servers, I would rather not rely on what ISC
are doing with this file, but have my own managed-keys statement and
avoid "dnssec-lookaside auto;".
Email: cet1 at cam.ac.uk
More information about the bind-users