auto setting for dnssec-validation and dnssec-lookaside

[ben thielsen]

given the following settings in the options stanza [collected from named-checkconf -p]:

dnssec-validation auto;
dnssec-lookaside auto;
bindkeys-file "/etc/bind/keys/dnssec/bind.keys";

i'm trying to understand portions of the following log snippit, following rndc reload/reconfig:

17-Jan-2012 22:42:37.255 general: info: received control channel command 'reload'
17-Jan-2012 22:42:37.255 general: info: loading configuration from '/etc/bind/named.conf'
17-Jan-2012 22:42:37.258 general: info: reading built-in trusted keys from file '/etc/bind/keys/dnssec/bind.keys'
17-Jan-2012 22:42:37.259 general: info: using default UDP/IPv4 port range: [1024, 65535]
17-Jan-2012 22:42:37.259 general: info: using default UDP/IPv6 port range: [1024, 65535]
17-Jan-2012 22:42:37.260 network: info: no IPv6 interfaces found
17-Jan-2012 22:42:37.261 general: info: sizing zone task pool based on 36 zones
17-Jan-2012 22:42:37.261 database: notice: acache 0xb4708008 cleaning interval set to 3600.
17-Jan-2012 22:42:37.265 security: warning: using built-in DLV key for view internal
17-Jan-2012 22:42:37.265 security: warning: using built-in root key for view internal
17-Jan-2012 22:42:37.268 security: warning: using built-in DLV key for view external
17-Jan-2012 22:42:37.268 security: warning: using built-in root key for view external
17-Jan-2012 22:42:37.272 general: info: reloading configuration succeeded
17-Jan-2012 22:42:37.278 general: info: reloading zones succeeded
…

it seems to happily load the root key and the dlv key from /etc/bind/keys/dnssec/bind.keys, but then subsequently prints warnings.  it prints the same warning messages if i omit the bindkeys-file directive, which seems to perhaps indicate that it's reading the file, as it says, but then not using the data?  also, why are these messages only printed upon rndc reload/reconfig, and not when named first starts?  this is bind 9.8.1, courtesy of debian's package repository.

regards
-ben