> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Vinny Abello > Sent: Thursday, October 23, 2008 10:25 AM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: RE: dnssec lookaside to dlv.isc.org broke recursion > > > Correct. You can also use > > > > "dig dnskey dlv.isc.org @127.0.0.1 | grep 257" > > > > daily from cron and when the answer changes go check the web > > site. > > I do something like this for all my trust anchors. > > > > % dig dnskey dlv.isc.org @127.0.0.1 | grep 257 > > dlv.isc.org. 7200 IN DNSKEY 257 3 5 > > BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 > > brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ > > 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 > > ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk > > Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM > > QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh > > % > > Is there a best practice for getting this info into BIND in an > automated fashion? I'm sure I could think of a way and script it, but > why reinvent the wheel? If this is manual maintenance that has to be > monitored and updated or else everything breaks, I can see some of the > hesitation in using dnssec. That was my reservation in signing my own > zones but the same issue exists here just to validate them. > > Will this always be the case even when the root becomes signed or is > this just due to using the lookaside validation with DLV? > > Thanks for your response and time, Mark.
I just noticed that the key is available as part of the named.conf via the following URL: https://secure.isc.org/ops/dlv/dlv.isc.org.named.conf I'm assuming this is provided to automate updates. Would there be anything wrong with scripting a wget or similar way of retrieving the file, having that referenced in the named.conf with the include statement, and doing a reconfig afterwards? -Vinny
