About DNSSec-Validation=Yes and bind.keys

Petr Menšík pemensik at redhat.com
Thu Nov 12 21:29:16 UTC 2020

Hello Onur,

sharing your named-checkconf -p output would be a good start. bind.keys
should not be required, if your build is recent and it has new key
built-in. Please share also your BIND version.

Difference between auto and yes is, auto includes built-in keys
automatically. With yes, you have to include them yourself.

Try adding:

include "/etc/bind.keys";

to your configuration, if dnssec-validation yes; is used.

Best Regards,

On 11/12/20 11:18 AM, Onur GURSOY wrote:
> Hello Everyone,
> I have some trouble about bin9 and dnssec
> When i set dnssec-validation to auto.
> My dns server is talking with google dns server ( and
> and
> when i set to dnssec-validation to yes
> it couldn't talk with google dns server.
> i have realized, there is no pre defined bind.keys.
> I donwload it from this
> https://downloads.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
> and i added manually but result is the same
> They didn't talk with google dns server.
> So
> where is the difference auto and yes.
> and why default bind.keys file didn't come by default
> Where is the problem.
> If you want i can provide wireshark output.
> Many Many Thanks,
> With My Best Regards,
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201112/9f3d5964/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201112/9f3d5964/attachment-0001.bin>

More information about the bind-users mailing list