Question about missing bind.keys

[Evan Hunt]

On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote:
> I have a question about the bind.keys file and what happens when it is 
> not available.
[...]
> ** If I don't have bind.keys in my BIND directory but have: 
> dnssec-validation auto in my named.conf, is BIND automatically getting 
> the trust anchor and storing it in managed-keys.bind so that when my 
> recursive resolver does a lookup and performs DNSSEC validation, 
> validation works ?  Or do I still need to download bind.keys from [1] ?

There's a copy of bind.keys that's compiled directly in named. If
the file isn't there, named will just use its own internal copy.

The first time named starts up with 'dnssec-validation' set to 'auto',
it fetches the current root key, validates it against its local
copy (either from bind.keys or from its own built-in copy), and then
keeps the key up to date according to the RFC 5011 protocol from
then on.

The recommendation to use bind.keys and not rely on the built-in
version was based on some assumptions that are no longer true. First,
`dnssec-validation auto` is now the default, so unless you disabled it on
purpose, you've been validating and keeping the root key up to date since
the first time you ran your server.  Second, back in those days it was
harder to get hold of regularly-updated packages for BIND, and scads
of people were running outdated code.

We were concerned that someone would be running an old version of named,
the root key would change, and *then* they'd decide to turn validation on
for the first time, and it wouldn't work. To smooth that out a bit, we
added the bind.keys file to the release tarball, and when giving tutorials
about turning on DNSSEC validation, we included a note that you should
always check whether bind.keys needed to be updated.

In today's world, I don't think it's inmportant anymore.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.