Knowledge Base ISC Main Website Ask a Question/Contact ISC
DNSSEC Validation the Easy Way
Author: Reference Number: AA-01182 Views: 10710 Created: 2014-07-11 13:11 Last Updated: 2018-04-20 23:08 0 Rating/ Voters


You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest.


ISC BIND 9 (in all currently supported versions at the time of this writing) contains a built-in copy of the root zone KSK (key signing key.)  To activate validation using this trust anchor requires only one non-default setting in your named.conf options statement:

options { ... dnssec-validation auto; ... };

With that added, "rndc reconfig" and you are done.

Note when using multiple views

The "dnssec-validation auto;" option may also be set per view, where a view is providing recursive service.  When sharing a cache among views with "attach-cache", the option must be the same for all affected views.

What will happen if/when the root KSK is rolled over / superseded by a new keypair?

At this writing (2018 April) we're still using the original root KSK as was used to sign the root zone initially in 2010: a roll of the root key is planned for fall 2018.  BIND 9 will do the right thing in accordance with RFC 5011, if the root zone operators do.  BIND named stores the root key as received and validated from one or more root servers in its managed key database.  As long as your server is up and running and connected during the RFC 5011 rollover period, you should be fine.

Of course, if the root zone operators fail to adhere to RFC 5011 procedures in their KSK rollover, we do not know what to expect.

If your server misses out on the rollover period for some reason, including an initial install or activation of an outdated copy of BIND after the rollover completion, this will take just a bit longer.  See below about bindkeys-file.

Note that here, the word "outdated" might mean simply that the rollover took place before ISC was able to release new BIND versions.  If/when the root KSK changes, ISC will strive to release an update to all then-supported BIND versions, and this update will contain the new trust anchor.

How do I override the built-in trust anchor?

Simply download this file: .  Save it as your bindkeys-file (default path/filename is "/etc/bind.keys".)  If you have an incorrect or outdated managed-keys database in your named working directory (or as changed with the managed-keys-directory option), delete the files called managed-keys.bind and managed-keys.bind.jnl before starting named. (Yes, the 9.11 file version works for all later versions of BIND 9.)

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu