On 2022-03-30 02:23, Evan Hunt wrote:
On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote:
I have a question about the bind.keys file and what happens when it is
not available.
[...]
** If I don't have bind.keys in my BIND directory but have:
dnssec-validation auto in my named.conf, is BIND automatically getting
the trust anchor and storing it in managed-keys.bind so that when my
recursive resolver does a lookup and performs DNSSEC validation,
validation works ? Or do I still need to download bind.keys from [1] ?
There's a copy of bind.keys that's compiled directly in named. If
the file isn't there, named will just use its own internal copy.
The first time named starts up with 'dnssec-validation' set to 'auto',
it fetches the current root key, validates it against its local
copy (either from bind.keys or from its own built-in copy), and then
keeps the key up to date according to the RFC 5011 protocol from
then on.
The recommendation to use bind.keys and not rely on the built-in
version was based on some assumptions that are no longer true. First,
`dnssec-validation auto` is now the default, so unless you disabled it on
purpose, you've been validating and keeping the root key up to date since
the first time you ran your server. Second, back in those days it was
harder to get hold of regularly-updated packages for BIND, and scads
of people were running outdated code.
We were concerned that someone would be running an old version of named,
the root key would change, and *then* they'd decide to turn validation on
for the first time, and it wouldn't work. To smooth that out a bit, we
added the bind.keys file to the release tarball, and when giving tutorials
about turning on DNSSEC validation, we included a note that you should
always check whether bind.keys needed to be updated.
In today's world, I don't think it's inmportant anymore.
Hi Evan,
Apologies for my late reply. Thank you so much for the detailed
explanation of: dnssec-validation auto and what happens when: bind.keys
doesn't exist.
With this setting in place in my: named.conf I then restarted BIND, gave
it a second to pull the trust information and then used: delv to test
verification.
The first test for unverified/unsigned was:
$ delv google.com
; unsigned answer
. . .
... and the second test for verified/signed was:
$ delv ietf.org
; fully validated
. . .
... which wouldn't have worked if: dnssec-validation auto failed in
getting the same information as: bind.keys
- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
