bind 9.7.4 on centos6

[Adam Tkac]

On 09/06/2011 01:54 AM, Mark Andrews wrote:
> In message <1315237316.31288.2.camel at ns.five-ten-sg.com>, Carl Byington writes:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>> "dnssec-lookaside auto;" only pulls the "dlv.isc.org" key out of
>>> that file.  The root's key is just for reference in BIND 9.7.x.  If
>>> you just include that file into named.conf it will load the root's
>>> key and org's answers will validate.
>>> e.g.
>>>         include "/etc/named.iscdlv.key";
>>> BIND 9.8 has "dnssec-validate auto;" which pulls the root's key out
>>> of that file.
>> Thanks! That works.
> Good.
>
> ISC ships the file as "/etc/bind.keys" with the following comments
> per version.  The comments are there to prevent issues such as this.
> Please report the lack of appropriate comments to the RPM maintainer.
Hello,

on RHEL6 the /etc/named.iscdlv.key file is simple copy of the ISC's
bind.keys with all comments:

[root at rhel6 ~]# rpm -q bind
bind-9.7.3-2.el6_1.P3.2.x86_64
[root at rhel6 ~]# cat /etc/named.iscdlv.key |head -5
/* $Id: bind.keys,v 1.5.42.2 2011-01-04 19:14:48 each Exp $ */
# The bind.keys file is used to override built-in DNSSEC trust anchors
# which are included as part of BIND 9.  As of the current release (BIND
# 9.7), the only trust anchor it sets is the one for the ISC DNSSEC
# Lookaside Validation zone ("dlv.isc.org").  Trust anchors for any other


Just for information, I renamed the bind.keys to named.iscdlv.key
because we shipped ISC DLV key in named.iscdlv.key file before ISC
started to ship bind.keys. It made sense not to break existing
configurations which had named.iscdlv.key included in the named.conf.

We are also shipping the root key in the /etc/named.root.key so you can
simply put

include "/etc/named.root.key";

into your named.conf and root zone should be validated correctly.

Regards, Adam