Thomas Schulz <sch...@adi.com> wrote: > > I found that I had 'dnssec-enable yes' along with a managed-keys > statement with an initial-key. If I change to 'dnssec-enable auto' > do I still need a managed-keys statement? If not will it hurt to have > one? Can I have a managed-keys statement without an initial-key?
You seem to have muddled up dnssec-enable and dnssec-validation. The default is "dnssec-enable yes". This enables support for the DO bit and correct RRSIG handling. It's usually best to omit the dnssec-enable option from your configuration file. The dnssec-validation option controls validation. The default is "no". If you set it to "yes" then you need to manually configure your trust anchors. If you set it to "auto" then you can omit any managed-keys configuration, and BIND will use its built-in defatult. It's usually best to set "dnssec-validation auto". A managed-keys clause without an initial key would be empty :-) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fitzroy, Sole: Southwesterly, but cyclonic at first in northwest, 4 or 5, increasing 6 at times, then increasing 7 or perhaps gale 8 later. Moderate or rough, occasionally very rough later. Occasional rain. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users