> # This file also contains a copy of the trust anchor for the DNS root zone
> # (".").  However, named does not use it; it is provided here for
> # informational purposes only.  To switch on DNSSEC validation at the
> # root, the root key below can be copied into named.conf.
> 
> Does this still apply? Do I really have to copy the key for "." into
> bind.conf in order for it to be used and it's not managed automatically?
> 
> Or did I misunderstand something here?

It still applies in 9.7.3.  In 9.8 (the first release of which should be
published within a week, barring unexpected problems), we added the option
"dnssec-validation auto", which turns on the root key automatically.  But
in 9.7, the only key named pulls out of bind.keys is the one for
dlv.isc.org (and it reads that one only if you turn on "dnssec-lookaside
auto").

The "dnssec-validation auto" feature isn't going to be backported to 9.7,
but we thought it would still be useful for people to have a copy of the
root key included somewhere in the tarball, so we put the key into both
branches, but with different comments.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to