root zone initial key in bind.keys

Chris Thompson cet1 at
Wed Feb 23 16:59:52 UTC 2011

On Feb 23 2011, Evan Hunt wrote:

>> # This file also contains a copy of the trust anchor for the DNS root zone
>> # (".").  However, named does not use it; it is provided here for
>> # informational purposes only.  To switch on DNSSEC validation at the
>> # root, the root key below can be copied into named.conf.
>> Does this still apply? Do I really have to copy the key for "." into
>> bind.conf in order for it to be used and it's not managed automatically?
>> Or did I misunderstand something here?
>It still applies in 9.7.3.  In 9.8 (the first release of which should be
>published within a week, barring unexpected problems), we added the option
>"dnssec-validation auto", which turns on the root key automatically.  But
>in 9.7, the only key named pulls out of bind.keys is the one for
> (and it reads that one only if you turn on "dnssec-lookaside

That may have been the intent, but I can assure you that it isn't what
actually happens! To make doubly sure, I stopped the test 9.7.3 named
on my workstation, removed the managed-keys.bind* files as well, and
restarted it with a named.conf with no managed-keys statement but with
"dnssec-lookaside auto". It ends up with trust anchors for both
the root and, as shown by all of

 * rndc secroots
 * what appears in managed-keys.bind
 * "ad" bit on appropriate "dig +dnssec" calls

which sort of convinces me ... :-)

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list