Question about missing bind.keys
J Doe
general at nativemethods.com
Wed Apr 13 01:37:22 UTC 2022
On 2022-03-30 02:23, Evan Hunt wrote:
> On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote:
>> I have a question about the bind.keys file and what happens when it is
>> not available.
> [...]
>> ** If I don't have bind.keys in my BIND directory but have:
>> dnssec-validation auto in my named.conf, is BIND automatically getting
>> the trust anchor and storing it in managed-keys.bind so that when my
>> recursive resolver does a lookup and performs DNSSEC validation,
>> validation works ? Or do I still need to download bind.keys from [1] ?
>
> There's a copy of bind.keys that's compiled directly in named. If
> the file isn't there, named will just use its own internal copy.
>
> The first time named starts up with 'dnssec-validation' set to 'auto',
> it fetches the current root key, validates it against its local
> copy (either from bind.keys or from its own built-in copy), and then
> keeps the key up to date according to the RFC 5011 protocol from
> then on.
>
> The recommendation to use bind.keys and not rely on the built-in
> version was based on some assumptions that are no longer true. First,
> `dnssec-validation auto` is now the default, so unless you disabled it on
> purpose, you've been validating and keeping the root key up to date since
> the first time you ran your server. Second, back in those days it was
> harder to get hold of regularly-updated packages for BIND, and scads
> of people were running outdated code.
>
> We were concerned that someone would be running an old version of named,
> the root key would change, and *then* they'd decide to turn validation on
> for the first time, and it wouldn't work. To smooth that out a bit, we
> added the bind.keys file to the release tarball, and when giving tutorials
> about turning on DNSSEC validation, we included a note that you should
> always check whether bind.keys needed to be updated.
>
> In today's world, I don't think it's inmportant anymore.
>
Hi Evan,
Apologies for my late reply. Thank you so much for the detailed
explanation of: dnssec-validation auto and what happens when: bind.keys
doesn't exist.
With this setting in place in my: named.conf I then restarted BIND, gave
it a second to pull the trust information and then used: delv to test
verification.
The first test for unverified/unsigned was:
$ delv google.com
; unsigned answer
. . .
... and the second test for verified/signed was:
$ delv ietf.org
; fully validated
. . .
... which wouldn't have worked if: dnssec-validation auto failed in
getting the same information as: bind.keys
- J
More information about the bind-users
mailing list