Comments on Root Key Rollover impact on BIND users

Tony Finch dot at
Mon Dec 12 16:43:53 UTC 2016

Thomas Schulz <schulz at> wrote:
> I found that I had 'dnssec-enable yes' along with a managed-keys
> statement with an initial-key. If I change to 'dnssec-enable auto'
> do I still need a managed-keys statement? If not will it hurt to have
> one? Can I have a managed-keys statement without an initial-key?

You seem to have muddled up dnssec-enable and dnssec-validation.

The default is "dnssec-enable yes". This enables support for the DO bit
and correct RRSIG handling. It's usually best to omit the dnssec-enable
option from your configuration file.

The dnssec-validation option controls validation. The default is "no".
If you set it to "yes" then you need to manually configure your trust
anchors. If you set it to "auto" then you can omit any managed-keys
configuration, and BIND will use its built-in defatult. It's usually
best to set "dnssec-validation auto".

A managed-keys clause without an initial key would be empty :-)

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Fitzroy, Sole: Southwesterly, but cyclonic at first in northwest, 4 or 5,
increasing 6 at times, then increasing 7 or perhaps gale 8 later. Moderate or
rough, occasionally very rough later. Occasional rain. Good, occasionally

More information about the bind-users mailing list