bind 9.7.4 on centos6

Mark Andrews marka at isc.org
Mon Sep 5 23:54:50 UTC 2011 

In message <1315237316.31288.2.camel at ns.five-ten-sg.com>, Carl Byington writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > "dnssec-lookaside auto;" only pulls the "dlv.isc.org" key out of
> > that file.  The root's key is just for reference in BIND 9.7.x.  If
> > you just include that file into named.conf it will load the root's
> > key and org's answers will validate.
> 
> > e.g.
> >         include "/etc/named.iscdlv.key";
> 
> > BIND 9.8 has "dnssec-validate auto;" which pulls the root's key out
> > of that file.
> 
> Thanks! That works.

Good.

ISC ships the file as "/etc/bind.keys" with the following comments
per version.  The comments are there to prevent issues such as this.
Please report the lack of appropriate comments to the RPM maintainer.

Mark

BIND 9.6-ESV-R5:
/* $Id: bind.keys,v 1.2.2.4 2011-01-04 19:15:12 each Exp $ */
# This file contains current trust anchors for the DNS root zone (".")
# and for the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  It is
# provided within BIND 9 for convenience of configuration.  To use these
# keys, copy the trusted-keys statement below into named.conf, or else set
# named.conf to "include" this file.
#
# These keys are current as of January 2011.  If any key fails to
# work correctly, it may have expired.  In that event, you should
# replace this file with a current version.  The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
#
# (NOTE: If this file is used via the "include" directive in named.conf,
# then it is NOT advisable to modify it.  In BIND 9.7 and higher, this file
# is used directly by named.  Upgrades to BIND may overwrite the file and
# eliminate any user-configured keys.  Furthermore, in those versions of
# BIND, this file can only be used for a specific set of domain names, and
# any other trust anchors configured here would be ignored.  So, while it
# is possible to use this file for other trust anchors in BIND 9.6, doing
# so may lead to problems when you upgrade.)


BIND 9.7.4:
/* $Id: bind.keys,v 1.5.42.3 2011-03-25 17:46:40 each Exp $ */
# The bind.keys file is used to override built-in DNSSEC trust anchors
:# which are included as part of BIND 9.  As of the current release (BIND
# 9.7), the only trust anchor it sets is the one for the ISC DNSSEC
# Lookaside Validation zone ("dlv.isc.org").  Trust anchors for any other
# zones MUST be configured elsewhere; if they are configured here, they
# will not be recognized or used by named.
#
# This file also contains a copy of the trust anchor for the DNS root zone
# (".").  However, named does not use it; it is provided here for
# informational purposes only.  To switch on DNSSEC validation at the
# root, the root key below can be copied into named.conf.
#
# The built-in DLV trust anchor in this file is used directly by named.
# However, it is not activated unless specifically switched on.  To use
# the DLV key, set "dnssec-lookaside auto;" in the named.conf options.
# Without this option being set, the key in this file is ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011.  If any key fails to
# initialize correctly, it may have expired.  In that event you should
# replace this file with a current version.  The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

 
BIND 9.8.1:
/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9.  As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options.  To use the built-in DLV key, set
# "dnssec-lookaside auto;".  Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011.  If any key fails to
# initialize correctly, it may have expired.  In that event you should
# replace this file with a current version.  The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFOZO21L6j7milTFsERAruYAJ9cKNZQQwPmr1dzlf0ctwL3XbabFACeLFCN
> mrsMpO2wT/oMRQa89hbojiY=
> =CGzL
> -----END PGP SIGNATURE-----
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list