Where can I find the current copy of
All versions of BIND since 9.8.x use the same
bind-keys. The current copy of the
bind.keys file can be found on our FTP site: BIND 9.8.x and higher
How is the
bind.keys file used?
named starts, it needs certain information, such as how to reach the root servers, before it can respond to recursive queries. If
named is configured to do DNSSEC validation, it also needs to have starting trust anchors. While all of this information is configurable via the
named.conf file, ISC has tried to make the configuration files simpler by compiling this information so that it doesn’t have to be set in the
BIND 9 has offered root hints (initial priming of root servers) for years. If you don’t put a hints file in
named will use the one compiled in hints.
Configuring trust anchors for DNSSEC validation has required adding trusted-keys statements explicitly into the
named.conf file. ISC provides a
bind.keys file that contains the root key and the DLV key. (Note that the DLV has been decommissioned and we recommend updating resolver configurations that query the DLV.)
For Current Releases (BIND 9.11 and higher):
- If you configure your own managed-keys statement in
named.conf, this will take precedence.
- If you put “dnssec-validation auto” in
namedwill read the root key from bind.keys the first time it executes.
- If you don’t have anything in
named.confand there is no
namedwill use the one compiled in keys.
Note: these are managed keys, so this is only applies the first time you execute
named. Assuming that the keys are not already expired (in which case
named will log that the key is expired and validation will not work),
named will use RFC 5011 to detect new keys and will automatically roll and maintain keys. Once
named is managing the keys, the current keys will be in
managed-keys.bind or *.mkeys, if you use views.
Earlier versions of BIND
BIND 9.6 and 9.7 included
bind.keys files with the same keys in a slightly different format. We are not providing updated
bind.keys files for these releases as they are well past end-of-life. If you are using them, we recommend upgrading to a supported version.