On 30 Aug 2010, at 00:02, clem...@dwf.com wrote: > > Can you either point me at the documentation I need to read, or > explain how to > > 'Add one for the root zone'
Have a look at: http://fanf.livejournal.com/107310.html Note that since you are using bind-9.6 you have to use a "trusted-keys" clause since it doesn't support "managed-keys" / RFC 5011. For the same reason bind-9.6 also does not support "dnssec-lookaside auto". > No I havent done this, and I dont see anything for the root zone when > I do the above, viz 'anchors2keys < anchors.xml > trusted.keys'. The ITAR only contains TLD trust anchors, not the root trust anchor nor any for lower zones. Also, the root trust anchor is distributed in a different format to the ITAR so anchors2keys doesn't work on it (hence my blog post). I recommend ignoring the ITAR (it is due to be eliminated now the root has been signed). Use dnssec-lookaside if you want to validate zones that lack a chain of trust from the root. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
