Where can I find the current copy of bind.keys
?
All versions of BIND since 9.8.x use the same bind-keys
. The current copy of the bind.keys
file can be found on our FTP site: BIND 9.8.x and higher bind.keys
file.
How is the bind.keys
file used?
When named
starts, it needs certain information, such as how to reach the root servers, before it can respond to recursive queries. If named
is configured to do DNSSEC validation, it also needs to have starting trust anchors. While all of this information is configurable via the named.conf
file, ISC has tried to make the configuration files simpler by compiling this information so that it doesn’t have to be set in the named.conf
file.
BIND 9 has offered root hints (initial priming of root servers) for years. If you don’t put a hints file in named.conf
, named
will use the one compiled in hints.
Configuring trust anchors for DNSSEC validation has required adding trusted-keys statements explicitly into the named.conf
file. ISC provides a bind.keys
file that contains the root key and the DLV key. (Note that the DLV has been decommissioned and we recommend updating resolver configurations that query the DLV.)
For Current Releases (BIND 9.11 and higher):
- If you configure your own managed-keys statement in
named.conf
, this will take precedence. - If you put “dnssec-validation auto” in
named.conf
,named
will read the root key from bind.keys the first time it executes. - If you don’t have anything in
named.conf
and there is nobind.keys
file,named
will use the one compiled in keys.
Note: these are managed keys, so this is only applies the first time you execute named
. Assuming that the keys are not already expired (in which case named
will log that the key is expired and validation will not work), named
will use RFC 5011 to detect new keys and will automatically roll and maintain keys. Once named
is managing the keys, the current keys will be in managed-keys.bind
or *.mkeys, if you use views.
Earlier versions of BIND
BIND 9.6 and 9.7 included bind.keys
files with the same keys in a slightly different format. We are not providing updated bind.keys
files for these releases as they are well past end-of-life. If you are using them, we recommend upgrading to a supported version.