In message <512c1009.4060...@htt-consult.com>, Robert Moskowitz writes:
> >>>> dnssec-enable yes;
> >>>> dnssec-validation yes;
> >> digging back in the archive here, I find out this should be
> >>
> >> dnssec-validation auto;
> > Actually it can be either. It's all a matter of how you want to
> > setup your trust anchors. For private root zones it is absolutely
> > the wrong thing to do.
>
> I got this from some old messages from you on the subject of "no valid
> signature".
>
> Perhaps tieing into my using the builtin root hints rather than
> explicitly including a root.hint stub?
>
> Like the other person, once I changed from 'yes' to 'auto' I stopped
> logging these messages so I ASSuME that now all those zones are being
> validated.
>
> No private root zones here. At least that I know of!
dnssec-validation auto; adds a implicit managed-keys clause for the
root. If you just do dnssec-validation yes; you need to add a
explict trusted-keys / managed-keys clause.
managed-keys {
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
If you have islands of trust you will need to have managed/trusted
keys for them. It is also a good idea to have managed/trusted keys
for your internal zones so you are not dependent on external zones
for internal lookups when your internet connection goes down.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
