In message <1315237316.31288.2.ca...@ns.five-ten-sg.com>, Carl Byington writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > "dnssec-lookaside auto;" only pulls the "dlv.isc.org" key out of
> > that file. The root's key is just for reference in BIND 9.7.x. If
> > you just include that file into named.conf it will load the root's
> > key and org's answers will validate.
>
> > e.g.
> > include "/etc/named.iscdlv.key";
>
> > BIND 9.8 has "dnssec-validate auto;" which pulls the root's key out
> > of that file.
>
> Thanks! That works.
Good.
ISC ships the file as "/etc/bind.keys" with the following comments
per version. The comments are there to prevent issues such as this.
Please report the lack of appropriate comments to the RPM maintainer.
Mark
BIND 9.6-ESV-R5:
/* $Id: bind.keys,v 1.2.2.4 2011-01-04 19:15:12 each Exp $ */
# This file contains current trust anchors for the DNS root zone (".")
# and for the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). It is
# provided within BIND 9 for convenience of configuration. To use these
# keys, copy the trusted-keys statement below into named.conf, or else set
# named.conf to "include" this file.
#
# These keys are current as of January 2011. If any key fails to
# work correctly, it may have expired. In that event, you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
#
# (NOTE: If this file is used via the "include" directive in named.conf,
# then it is NOT advisable to modify it. In BIND 9.7 and higher, this file
# is used directly by named. Upgrades to BIND may overwrite the file and
# eliminate any user-configured keys. Furthermore, in those versions of
# BIND, this file can only be used for a specific set of domain names, and
# any other trust anchors configured here would be ignored. So, while it
# is possible to use this file for other trust anchors in BIND 9.6, doing
# so may lead to problems when you upgrade.)
BIND 9.7.4:
/* $Id: bind.keys,v 1.5.42.3 2011-03-25 17:46:40 each Exp $ */
# The bind.keys file is used to override built-in DNSSEC trust anchors
:# which are included as part of BIND 9. As of the current release (BIND
# 9.7), the only trust anchor it sets is the one for the ISC DNSSEC
# Lookaside Validation zone ("dlv.isc.org"). Trust anchors for any other
# zones MUST be configured elsewhere; if they are configured here, they
# will not be recognized or used by named.
#
# This file also contains a copy of the trust anchor for the DNS root zone
# ("."). However, named does not use it; it is provided here for
# informational purposes only. To switch on DNSSEC validation at the
# root, the root key below can be copied into named.conf.
#
# The built-in DLV trust anchor in this file is used directly by named.
# However, it is not activated unless specifically switched on. To use
# the DLV key, set "dnssec-lookaside auto;" in the named.conf options.
# Without this option being set, the key in this file is ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
BIND 9.8.1:
/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFOZO21L6j7milTFsERAruYAJ9cKNZQQwPmr1dzlf0ctwL3XbabFACeLFCN
> mrsMpO2wT/oMRQa89hbojiY=
> =CGzL
> -----END PGP SIGNATURE-----
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
