managed-keys vs trust-anchors
Evan Hunt
each at isc.org
Wed Jan 4 19:59:12 UTC 2023
On Mon, Jan 02, 2023 at 07:33:46AM -0500, Bob McDonald wrote:
> I've upgraded to bind 9.16.36.
>
> I went to the ISC site and picked up the bind.keys file.
>
> However, it is intended for use in bind 9.11 and contains the managed-keys
> clause. This throws an error in the syslog messages during startup. It
> appears to still function correctly.
>
> In the ARM for bind 9.16 it states that managed-keys clause is deprecated.
> Replacing the managed-keys clause with the trust-anchors clause seems to
> fix the issue. In the file itself it states the following:
>
> # This file is NOT expected to be user-configured.
>
> Perhaps I've missed something. If not, the documentation needs to be a bit
> more clear on this. Would it be helpful to have a version of the bind.keys
> file for bind 9.16 and above?
Thanks for bringing this to our attention. It's no longer necessary
to get the bind.keys file from the ISC website. We've updated the
site to remove the downloadable version, and just put some explanatory
text there instead.
The bind.keys file was originally put there for reasons that aren't really
applicable anymore; you can safely rely on the one that's compiled in to
named now. Some background on this can be found in the discussion at
https://www.mail-archive.com/bind-users@lists.isc.org/msg31664.html.
(And, if for some odd reason you really do need to download a new copy of
bind.keys instead of updating BIND, you can pull it from the source tree:
https://gitlab.isc.org/isc-projects/bind9/-/blob/main/bind.keys.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list