In message <512c1009.4060...@htt-consult.com>, Robert Moskowitz writes:
> >>>>      dnssec-enable yes;
> >>>>      dnssec-validation yes;
> >> digging back in the archive here, I find out this should be
> >>
> >>       dnssec-validation auto;
> > Actually it can be either.  It's all a matter of how you want to
> > setup your trust anchors.  For private root zones it is absolutely
> > the wrong thing to do.
> 
> I got this from some old messages from you on the subject of "no valid 
> signature".
> 
> Perhaps tieing into my using the builtin root hints rather than 
> explicitly including a root.hint stub?
> 
> Like the other person, once I changed from 'yes' to 'auto' I stopped 
> logging these messages so I ASSuME that now all those zones are being 
> validated.
> 
> No private root zones here.  At least that I know of!

dnssec-validation auto; adds a implicit managed-keys clause for the
root.  If you just do dnssec-validation yes; you need to add a
explict trusted-keys / managed-keys clause.

managed-keys {
        . initial-key 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};

If you have islands of trust you will need to have managed/trusted
keys for them.  It is also a good idea to have managed/trusted keys
for your internal zones so you are not dependent on external zones
for internal lookups when your internet connection goes down.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to