On Feb 23 2011, Evan Hunt wrote:
# This file also contains a copy of the trust anchor for the DNS root zone
# ("."). However, named does not use it; it is provided here for
# informational purposes only. To switch on DNSSEC validation at the
# root, the root key below can be copied into named.conf.
Does this still apply? Do I really have to copy the key for "." into
bind.conf in order for it to be used and it's not managed automatically?
Or did I misunderstand something here?
It still applies in 9.7.3. In 9.8 (the first release of which should be
published within a week, barring unexpected problems), we added the option
"dnssec-validation auto", which turns on the root key automatically. But
in 9.7, the only key named pulls out of bind.keys is the one for
dlv.isc.org (and it reads that one only if you turn on "dnssec-lookaside
auto").
That may have been the intent, but I can assure you that it isn't what
actually happens! To make doubly sure, I stopped the test 9.7.3 named
on my workstation, removed the managed-keys.bind* files as well, and
restarted it with a named.conf with no managed-keys statement but with
"dnssec-lookaside auto". It ends up with trust anchors for both
the root and dlv.isc.org, as shown by all of
* rndc secroots
* what appears in managed-keys.bind
* "ad" bit on appropriate "dig +dnssec" calls
which sort of convinces me ... :-)
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
