root zone initial key in bind.keys

Evan Hunt each at
Wed Feb 23 17:32:44 UTC 2011

> That may have been the intent, but I can assure you that it isn't what
> actually happens!

Whoops.  You're right, and it's a bug.  The keys aren't read without
"dnssec-lookaside auto" being turned on, but if it is, then both keys are
loaded.  This works correctly in 9.8, but a little piece of code that was
supposed to have been committed to 9.7 seems to have been left out by
mistake.  My apologies; apparently we've made some people's systems more
secure than we intended. :/

If anyone is out there who wants to be using ISC DLV but does not want to
use the root key, comment the root key out of bind.keys.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list