-/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
-# which are included as part of BIND 9. As of the current release, the only
-# trust anchors it contains are those for the DNS root zone ("."), and for
-# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
-# for any other zones MUST be configured elsewhere; if they are configured
-# here, they will not be recognized or used by named.
+# which are included as part of BIND 9. The only trust anchors it contains
+# are for the DNS root zone ("."). Trust anchors for any other zones MUST
+# be configured elsewhere; if they are configured here, they will not be
+# recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
-# To use the built-in root key, set "dnssec-validation auto;" in
-# named.conf options. To use the built-in DLV key, set
-# "dnssec-lookaside auto;". Without these options being set,
-# the keys in this file are ignored.
+# To use the built-in key, use "dnssec-validation auto;" in the
+# named.conf options. Without this option being set, the keys in this
+# file are ignored.
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of Feburary 2017. If any key fails to
+# These keys are current as of October 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+#
+# See https://data.iana.org/root-anchors/root-anchors.xml
+# for current trust anchor information for the root zone.
managed-keys {
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.
- #
- # NOTE: The ISC DLV zone is being phased out as of February 2017;
- # the key will remain in place but the zone will be otherwise empty.
- # Configuring "dnssec-lookaside auto;" to activate this key is
- # harmless, but is no longer useful and is not recommended.
- dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
- TDN0YUuWrBNh";
-
- # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
- # for current trust anchor information.
- #
- # These keys are activated by setting "dnssec-validation auto;"
- # in named.conf.
- #
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
- # This key (20326) is to be published in the root zone in 2017.
- # Servers which were already using the old key should roll to the
- # new # one seamlessly. Servers being set up for the first time
- # can use either of the keys in this file to verify the root keys
- # for the first time; thereafter the keys in the zone will be
- # trusted and maintained automatically.
+ # This key (20326) was published in the root zone in 2017.
+ # Servers which were already using the old key (19036) should
+ # roll seamlessly to this new one via RFC 5011 rollover. Servers
+ # being set up for the first time can use the contents of this
+ # file as initializing keys; thereafter, the keys in the
+ # managed key database will be trusted and maintained
+ # automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
- // to talk to, you might need to uncomment the query-source
- // directive below. Previous versions of BIND always asked
- // questions using port 53, but BIND 8.1 and later use an unprivileged
- // port by default.
-
- // query-source address * port 53;
+ // to talk to, you may need to fix the firewall to allow multiple
+ // ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
18.72.0.3;
};
+ //========================================================================
+ // If BIND logs error messages about the root key being expired,
+ // you will need to update your keys. See https://www.isc.org/bind-keys
+ //========================================================================
+ dnssec-validation auto;
+
// ALEX DEHNERT: copied from old arctic version on 2008-12-19
//ALEX DEHNERT: Security-related stuff:
// Secure(ish):
projects / sysconfig / bind.git / commitdiff