Question about missing bind.keys

[J Doe]

Hello,

I have a question about the bind.keys file and what happens when it is 
not available.

According to the ARM:

     dnssec-validation  This option enables DNSSEC validation in named.
         . . .

     (To prevent problems if bind.keys is not found, the current trust
      anchor is also compiled in named. Relying on this is not
      recommended, however, as it requires named to be recompiled with a
      new key when the root key expires.)

I note the part towards the bottom where it says _not_ to rely on the 
compiled in option when bind.keys is not found.

With the packaged version of BIND that I am using (BIND 9.16.27), no 
bind.keys file was provided.  I then enabled DNSSEC validation by 
adding: dnssec-validation auto in my named.conf file and restarted BIND.

I now see I have managed-keys.bind file in my BIND directory.  To find 
out more about that I went to [1] which states:

     For Current Releases (BIND 9.11 and higher)
         . . .
     Once named is managing the keys, the current keys will be
     in managed-keys.bind or *.mkeys, if you use views.

In my case, I have BIND configured as a recursive resolver.  I have an 
ACL section and an Options section but no views . . . but I still get 
managed-keys.bind.

My question is:

** If I don't have bind.keys in my BIND directory but have: 
dnssec-validation auto in my named.conf, is BIND automatically getting 
the trust anchor and storing it in managed-keys.bind so that when my 
recursive resolver does a lookup and performs DNSSEC validation, 
validation works ?  Or do I still need to download bind.keys from [1] ?


Thanks for your help,

- J


Sources:

[1] https://www.isc.org/bind-keys/