root zone initial key in bind.keys
Chris Thompson
cet1 at cam.ac.uk
Wed Feb 23 16:59:52 UTC 2011
On Feb 23 2011, Evan Hunt wrote:
>> # This file also contains a copy of the trust anchor for the DNS root zone
>> # ("."). However, named does not use it; it is provided here for
>> # informational purposes only. To switch on DNSSEC validation at the
>> # root, the root key below can be copied into named.conf.
>>
>> Does this still apply? Do I really have to copy the key for "." into
>> bind.conf in order for it to be used and it's not managed automatically?
>>
>> Or did I misunderstand something here?
>
>It still applies in 9.7.3. In 9.8 (the first release of which should be
>published within a week, barring unexpected problems), we added the option
>"dnssec-validation auto", which turns on the root key automatically. But
>in 9.7, the only key named pulls out of bind.keys is the one for
>dlv.isc.org (and it reads that one only if you turn on "dnssec-lookaside
>auto").
That may have been the intent, but I can assure you that it isn't what
actually happens! To make doubly sure, I stopped the test 9.7.3 named
on my workstation, removed the managed-keys.bind* files as well, and
restarted it with a named.conf with no managed-keys statement but with
"dnssec-lookaside auto". It ends up with trust anchors for both
the root and dlv.isc.org, as shown by all of
* rndc secroots
* what appears in managed-keys.bind
* "ad" bit on appropriate "dig +dnssec" calls
which sort of convinces me ... :-)
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list