Current Root/DLV Trust Anchors (bind.keys)

Where can I find the most current copy?

The most current copies of the bind.keys file can be found on our ftp site:

How is the bind.keys file used?

When named starts, it needs certain information before it can respond to recursive queries, such as how to reach the root servers. If named is configured to do DNSSEC validation, it also needs to have starting trust anchors. While all of this information is configurable via the named.conf file, ISC has tried to make the configuration files simpler by compiling in this information so that it doesn’t have to be set in the named.conf file.
For root hints (initial priming of root servers), BIND 9 has had this for years. If you don’t put a hints file in named.conf, named will use the compiled in hints.
However, configuring trust anchors for DNSSEC validation has required added trusted-keys statements explicitly into the named.conf file. ISC now has a bind.keys file that contains the root key and the DLV key.

For BIND 9.8 and 9.9:

  • If you configure your own managed-keys statement in named.conf, this will take precedence.
  • If you put “dnssec-validation auto” in named.conf, named will read the root key from bind.keys the first time it executes.
  • If you put “dnssec-lookaside auto” in named.conf, named will read the DLV key from bind.keys the first time it executes.
  • If you don’t have anything in named.conf and there is no bind.keys file, named will use the compiled in keys.

Note: these are managed keys, so this is only applies the first time you execute named. Assuming that the keys are not already expired (in which case named will log that the key is expired and validation will not work), named will use RFC 5011 to detect new keys and automatically roll and maintain keys. Once named is managing the keys, the current keys will be in managed-keys.bind or *.mkeys, if you use views.

For BIND 9.7:

  • If you configure your own managed-keys statement in named.conf, this will take precedence.
  • For DLV/dnssec-lookaside, 9.7 works just as 9.8 does.
  • For dnssec-validation, there is no “auto” option. However, if you put a managed-keys statement in named.conf, 9.7 will do the same RFC 5011 key maintenance as in 9.8.

For BIND 9.6:

9.6 does not have any form of automated management of keys. All trusted anchors are configured via a trusted-keys statement. There is a bind.keys file included in the distribution but you should just use it as an example and cut/paste the secrets for DLV/root into your named.conf file.