Current Root Trust Anchors


Where can I find the current copy of bind.keys?

All versions of BIND since 9.8.x use the same bind-keys. The current copy of the bind.keys file can be found on our FTP site: BIND 9.8.x and higher bind.keys file.

How is the bind.keys file used?

When named starts, it needs certain information, such as how to reach the root servers, before it can respond to recursive queries. If named is configured to do DNSSEC validation, it also needs to have starting trust anchors. While all of this information is configurable via the named.conf file, ISC has tried to make the configuration files simpler by compiling this information so that it doesn’t have to be set in the named.conf file.

BIND 9 has offered root hints (initial priming of root servers) for years. If you don’t put a hints file in named.conf, named will use the one compiled in hints.

Configuring trust anchors for DNSSEC validation has required adding trusted-keys statements explicitly into the named.conf file. ISC provides a bind.keys file that contains the root key and the DLV key. (Note that the DLV has been decommissioned and we recommend updating resolver configurations that query the DLV.)

For Current Releases (BIND 9.11 and higher):
  • If you configure your own managed-keys statement in named.conf, this will take precedence.
  • If you put “dnssec-validation auto” in named.conf, named will read the root key from bind.keys the first time it executes.
  • If you don’t have anything in named.conf and there is no bind.keys file, named will use the one compiled in keys.

Note: these are managed keys, so this is only applies the first time you execute named. Assuming that the keys are not already expired (in which case named will log that the key is expired and validation will not work), named will use RFC 5011 to detect new keys and will automatically roll and maintain keys. Once named is managing the keys, the current keys will be in managed-keys.bind or *.mkeys, if you use views.

Earlier versions of BIND

BIND 9.6 and 9.7 included bind.keys files with the same keys in a slightly different format. We are not providing updated bind.keys files for these releases as they are well past end-of-life. If you are using them, we recommend upgrading to a supported version.