root zone initial key in bind.keys

Evan Hunt each at
Wed Feb 23 16:41:14 UTC 2011

> # This file also contains a copy of the trust anchor for the DNS root zone
> # (".").  However, named does not use it; it is provided here for
> # informational purposes only.  To switch on DNSSEC validation at the
> # root, the root key below can be copied into named.conf.
> Does this still apply? Do I really have to copy the key for "." into
> bind.conf in order for it to be used and it's not managed automatically?
> Or did I misunderstand something here?

It still applies in 9.7.3.  In 9.8 (the first release of which should be
published within a week, barring unexpected problems), we added the option
"dnssec-validation auto", which turns on the root key automatically.  But
in 9.7, the only key named pulls out of bind.keys is the one for (and it reads that one only if you turn on "dnssec-lookaside

The "dnssec-validation auto" feature isn't going to be backported to 9.7,
but we thought it would still be useful for people to have a copy of the
root key included somewhere in the tarball, so we put the key into both
branches, but with different comments.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list