On Feb 23 2011, Matus UHLAR - fantomas wrote:
Hello,
after downloading and unpacking bind9.7.3, there's bind.keys file that
contains this comment:
# This file also contains a copy of the trust anchor for the DNS root zone
# ("."). However, named does not use it; it is provided here for
# informational purposes only. To switch on DNSSEC validation at the
# root, the root key below can be copied into named.conf.
Does this still apply? Do I really have to copy the key for "." into
bind.conf in order for it to be used and it's not managed automatically?
Or did I misunderstand something here?
Experiment reveals that, *provided* you use "dnssec-lookaside auto;",
BIND uses both entries in the managed-keys statement in [prefix]/etc/bind.keys.
In fact, the documentation in the file is not consistent. Apart from
the bit you quote, there is also this
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
just before the root key itself, which contradicts the former (and appears
to be true!).
Personally, on production servers, I would rather not rely on what ISC
are doing with this file, but have my own managed-keys statement and
avoid "dnssec-lookaside auto;".
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
