Hello,
I have a question about the bind.keys file and what happens when it is
not available.
According to the ARM:
dnssec-validation This option enables DNSSEC validation in named.
. . .
(To prevent problems if bind.keys is not found, the current trust
anchor is also compiled in named. Relying on this is not
recommended, however, as it requires named to be recompiled with a
new key when the root key expires.)
I note the part towards the bottom where it says _not_ to rely on the
compiled in option when bind.keys is not found.
With the packaged version of BIND that I am using (BIND 9.16.27), no
bind.keys file was provided. I then enabled DNSSEC validation by
adding: dnssec-validation auto in my named.conf file and restarted BIND.
I now see I have managed-keys.bind file in my BIND directory. To find
out more about that I went to [1] which states:
For Current Releases (BIND 9.11 and higher)
. . .
Once named is managing the keys, the current keys will be
in managed-keys.bind or *.mkeys, if you use views.
In my case, I have BIND configured as a recursive resolver. I have an
ACL section and an Options section but no views . . . but I still get
managed-keys.bind.
My question is:
** If I don't have bind.keys in my BIND directory but have:
dnssec-validation auto in my named.conf, is BIND automatically getting
the trust anchor and storing it in managed-keys.bind so that when my
recursive resolver does a lookup and performs DNSSEC validation,
validation works ? Or do I still need to download bind.keys from [1] ?
Thanks for your help,
- J
Sources:
[1] https://www.isc.org/bind-keys/
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
