[dns-operations] Blog post about configuring BIND 9 with the trust anchor

Sat Jul 17 16:59:04 UTC 2010

> Date: Sat, 17 Jul 2010 12:16:15 -0400
> From: Olafur Gudmundsson <ogud at ogud.com>
> 
> You really need 9.7++ as 9.6.x does not support RFC5011 and new KSK will be
> published along with the RFC5011 procedure when the time comes.

indeed, this is true.  in hindsight i wish that we had not added alg 8 to a
version (9.6.x) that doesn't support RFC 5011.  9.7.1-P2 is what i'm running
on my validators and they are working fine.  it looks a little likt this,
but if any of you cut&paste these keys from unsigned mail on a public forum
like this one, you would be fools.

options {
	// ...
	recursion yes;
	dnssec-enable yes;
	dnssec-lookaside . trust-anchor dlv.isc.org.;
	dnssec-validation yes;
	// ...
};

managed-keys {
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                                bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                                /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                                JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                                oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                                LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                                Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                                LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};

trusted-keys {
 dlv.isc.org. 257 3 5 "
   BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
   brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
   1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
   ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
   Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
   QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
   TDN0YUuWrBNh";
};