dnssec-validation auto vs yes
Warren Kumari
warren at kumari.net
Thu Jun 13 17:51:17 UTC 2019
On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt <each at isc.org> wrote:
>
> On Wed, Jun 12, 2019 at 11:40:27PM +0000, Shawn Zhou via bind-users wrote:
> > The default BIND9 installation for CentOS7 has dnssec-validation set to
> > "yes" and it also includes managed-keys as well. Do those managed-keys
> > get updated automatically?
>
> Yes, if the "managed-keys" statement is in named.conf (or included in
> it via an "include" statement) then the keys will be updated automatically.
... assuming that named can write to the directory. This is definitely
worth double-checking.
W
> Based on what you copy-pasted, that appears to be the case.
>
> "dnssec-validation auto" causes named to use its built-in key for the root
> zone, so you don't have to put your own "managed-keys" statement into
> named.conf, but otherwise it's the same as "dnssec-validation yes".
>
> (BTW, a note in passing: we're changing the command from "managed-keys" to
> "dnssec-keys" over the next few years. The new syntax will be available in
> BIND 9.15.1, which should be out next week; the old syntax will be
> phased out later.)
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
More information about the bind-users
mailing list