Just trying to understand the bindkeys-file directive related to the DNSSEC extension in the Bind configuration. Is that a public key? Does it sign the response in the same way as digital signatures?
Asked
Active
Viewed 3,852 times
4
Gilles 'SO- stop being evil'
- 807,993
- 194
- 1,674
- 2,175
Ask and Learn
- 1,865
- 4
- 25
- 34
-
Please do not use code markup to highlight words, only for code. You don't need to highlight words in every sentence. – Gilles 'SO- stop being evil' Jun 24 '14 at 23:17
1 Answers
7
It’s actually an alternative repository for trusted keys, where one can submit their zone keys, if there is no fully signed path from root zone down to your own zone. The functional DLV registry is dlv.isc.org. By default the root zone key and the dlv.isc.org key are included in /etc/named.iscdlv.key and that goes as a value to bindkeys-file attribute in Options directive. you can find this automatically in named.conf or named.options.
from /usr/share/doc/bind-9.7.3/arm/Bv9ARM.pdf:
bindkeys-file The pathname of a file to override the built-in trusted keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. If not specified, the default is /etc/bind.keys.
Nidal
- 8,856
- 11
- 55
- 74