DNSSEC with 9.7.2-P2

[David Forrest]

On Tue, 16 Nov 2010, Mark Andrews wrote:
<snipped>
>>
>> Isn't sufficient to configure the root trust anchor inside "managed-keys {};"
>> statement? If I understand correctly the key should be automatically
>> updated, shouldn't it?
>
> For 9.7 yes.
>

I just updated to 9.7.2-P3 and got this message on start:
Dec  1 10:52:01 maplepark named[20356]: starting BIND 9.7.2-P3 -u named
Dec  1 10:52:01 maplepark named[20356]: built with defaults
Dec  1 10:52:01 maplepark named[20356]: using up to 4096 sockets
Dec  1 10:52:01 maplepark named[20356]: loading configuration from '/etc/named.conf'
Dec  1 10:52:01 maplepark named[20356]: reading built-in trusted keys from file '/etc/bind.keys'

I had removed that file for -P2 but the sudo make install of -P3 re-wrote it:
[drf at maplepark:~/src/bind-9.7.2-P3]$grep bind.keys typescript 
/usr/bin/install -c -m 644 ./bind.keys /etc
so it is back.


I do have a managed-keys statement in my named.conf:
managed-keys {
   "." initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};

and it seems to run OK so far.

My question is whether the built-in trusted keys (/etc/bind.keys) is 
necessary or not in 9.7.2-P3.  I am assuming it is as the make step set it 
up.

Dave
-- 
David Forrest                     e-mail drf @ maplepark.com
Maple Park Development Corporation  http://xen.maplepark.com
St. Louis, Missouri    (Sent by ALPINE 2.01 FEDORA 11 LINUX)