Question about missing bind.keys

J Doe general at nativemethods.com
Wed Apr 13 01:37:22 UTC 2022 

On 2022-03-30 02:23, Evan Hunt wrote:

> On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote:
>> I have a question about the bind.keys file and what happens when it is
>> not available.
> [...]
>> ** If I don't have bind.keys in my BIND directory but have:
>> dnssec-validation auto in my named.conf, is BIND automatically getting
>> the trust anchor and storing it in managed-keys.bind so that when my
>> recursive resolver does a lookup and performs DNSSEC validation,
>> validation works ?  Or do I still need to download bind.keys from [1] ?
> 
> There's a copy of bind.keys that's compiled directly in named. If
> the file isn't there, named will just use its own internal copy.
> 
> The first time named starts up with 'dnssec-validation' set to 'auto',
> it fetches the current root key, validates it against its local
> copy (either from bind.keys or from its own built-in copy), and then
> keeps the key up to date according to the RFC 5011 protocol from
> then on.
> 
> The recommendation to use bind.keys and not rely on the built-in
> version was based on some assumptions that are no longer true. First,
> `dnssec-validation auto` is now the default, so unless you disabled it on
> purpose, you've been validating and keeping the root key up to date since
> the first time you ran your server.  Second, back in those days it was
> harder to get hold of regularly-updated packages for BIND, and scads
> of people were running outdated code.
> 
> We were concerned that someone would be running an old version of named,
> the root key would change, and *then* they'd decide to turn validation on
> for the first time, and it wouldn't work. To smooth that out a bit, we
> added the bind.keys file to the release tarball, and when giving tutorials
> about turning on DNSSEC validation, we included a note that you should
> always check whether bind.keys needed to be updated.
> 
> In today's world, I don't think it's inmportant anymore.
> 

Hi Evan,

Apologies for my late reply.  Thank you so much for the detailed 
explanation of: dnssec-validation auto and what happens when: bind.keys 
doesn't exist.

With this setting in place in my: named.conf I then restarted BIND, gave 
it a second to pull the trust information and then used: delv to test 
verification.

The first test for unverified/unsigned was:

	$ delv google.com
		; unsigned answer
			. . .

... and the second test for verified/signed was:

	$ delv ietf.org
		; fully validated
			. . .

... which wouldn't have worked if: dnssec-validation auto failed in 
getting the same information as: bind.keys

- J

More information about the bind-users mailing list