> Date: Wed, 23 Feb 2011 17:32:44 +0000 > From: Evan Hunt <e...@isc.org> > Sender: bind-users-bounces+oberman=es....@lists.isc.org > > > That may have been the intent, but I can assure you that it isn't what > > actually happens! > > Whoops. You're right, and it's a bug. The keys aren't read without > "dnssec-lookaside auto" being turned on, but if it is, then both keys are > loaded. This works correctly in 9.8, but a little piece of code that was > supposed to have been committed to 9.7 seems to have been left out by > mistake. My apologies; apparently we've made some people's systems more > secure than we intended. :/ > > If anyone is out there who wants to be using ISC DLV but does not want to > use the root key, comment the root key out of bind.keys.
I would really hoe that the set described above is an empty set. I can imagine some reasons some might want to do it, but I can't come up with a GOOD reason for it. Most people move their trust anchors out of the DLV when they are confident that the keys are properly located in the parent zone. In other words, I think that this should be considered a feature and not a bug. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users