dnssec-validation auto vs yes

Shawn Zhou shawnzhou00 at yahoo.com
Thu Jun 13 00:42:54 UTC 2019


 Thanks Even. Sounds like "dnssec-validation auto" is a more future-proof option for what want it. I will use that instead.


    On Wednesday, June 12, 2019, 5:25:51 PM PDT, Evan Hunt <each at isc.org> wrote:  
 
 On Wed, Jun 12, 2019 at 11:40:27PM +0000, Shawn Zhou via bind-users wrote:
> The default BIND9 installation for CentOS7 has dnssec-validation set to
> "yes" and it also includes managed-keys as well. Do those managed-keys
> get updated automatically?

Yes, if the "managed-keys" statement is in named.conf (or included in
it via an "include" statement) then the keys will be updated automatically.
Based on what you copy-pasted, that appears to be the case.

"dnssec-validation auto" causes named to use its built-in key for the root
zone, so you don't have to put your own "managed-keys" statement into
named.conf, but otherwise it's the same as "dnssec-validation yes".

(BTW, a note in passing: we're changing the command from "managed-keys" to
"dnssec-keys" over the next few years. The new syntax will be available in
BIND 9.15.1, which should be out next week; the old syntax will be
phased out later.)

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190613/7f037864/attachment.html>


More information about the bind-users mailing list