root zone initial key in bind.keys

Kevin Oberman oberman at
Wed Feb 23 17:41:02 UTC 2011

> Date: Wed, 23 Feb 2011 17:32:44 +0000
> From: Evan Hunt <each at>
> Sender: at
> > That may have been the intent, but I can assure you that it isn't what
> > actually happens!
> Whoops.  You're right, and it's a bug.  The keys aren't read without
> "dnssec-lookaside auto" being turned on, but if it is, then both keys are
> loaded.  This works correctly in 9.8, but a little piece of code that was
> supposed to have been committed to 9.7 seems to have been left out by
> mistake.  My apologies; apparently we've made some people's systems more
> secure than we intended. :/
> If anyone is out there who wants to be using ISC DLV but does not want to
> use the root key, comment the root key out of bind.keys.

I would really hoe that the set described above is an empty set. I can
imagine some reasons some might want to do it, but I can't come up with
a GOOD reason for it. Most people move their trust anchors out of the
DLV when they are confident that the keys are properly located in the
parent zone.

In other words, I think that this should be considered a feature and
not a bug.
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the bind-users mailing list