diff --git a/bind.keys b/bind.keys index 7ee1e31..c06e2ec 100644 --- a/bind.keys +++ b/bind.keys @@ -1,45 +1,44 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + # The bind.keys file is used to override the built-in DNSSEC trust anchors # which are included as part of BIND 9. The only trust anchors it contains # are for the DNS root zone ("."). Trust anchors for any other zones MUST # be configured elsewhere; if they are configured here, they will not be # recognized or used by named. # -# The built-in trust anchors are provided for convenience of configuration. -# They are not activated within named.conf unless specifically switched on. -# To use the built-in key, use "dnssec-validation auto;" in the -# named.conf options. Without this option being set, the keys in this -# file are ignored. +# To use the built-in root key, set "dnssec-validation auto;" in the +# named.conf options, or else leave "dnssec-validation" unset. If +# "dnssec-validation" is set to "yes", then the keys in this file are +# ignored; keys will need to be explicitly configured in named.conf for +# validation to work. "auto" is the default setting, unless named is +# built with "configure --disable-auto-validation", in which case the +# default is "yes". # # This file is NOT expected to be user-configured. # -# These keys are current as of October 2017. If any key fails to -# initialize correctly, it may have expired. In that event you should -# replace this file with a current version. The latest version of -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. +# Servers being set up for the first time can use the contents of this file +# as initializing keys; thereafter, the keys in the managed key database +# will be trusted and maintained automatically. # -# See https://data.iana.org/root-anchors/root-anchors.xml -# for current trust anchor information for the root zone. - -managed-keys { - # This key (19036) is to be phased out starting in 2017. It will - # remain in the root zone for some time after its successor key - # has been added. It will remain this file until it is removed from - # the root zone. - . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; +# These keys are current as of Mar 2019. If any key fails to initialize +# correctly, it may have expired. In that event you should replace this +# file with a current version. The latest version of bind.keys can always +# be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust +# anchor information for the root zone. +trust-anchors { # This key (20326) was published in the root zone in 2017. - # Servers which were already using the old key (19036) should - # roll seamlessly to this new one via RFC 5011 rollover. Servers - # being set up for the first time can use the contents of this - # file as initializing keys; thereafter, the keys in the - # managed key database will be trusted and maintained - # automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF