 @@ -1,47 +1,70 @@
-/*	$NetBSD: bind.keys,v 1.1 2013/04/25 17:02:29 christos Exp $	*/
+/*	$NetBSD: bind.keys,v 1.1.14.1 2018/03/10 16:11:45 snj Exp $	*/
 /* Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp  */
 # The bind.keys file is used to override the built-in DNSSEC trust anchors
 # which are included as part of BIND 9.  As of the current release, the only
 # trust anchors it contains are those for the DNS root zone ("."), and for
 # the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
 # for any other zones MUST be configured elsewhere; if they are configured
 # here, they will not be recognized or used by named.
+#
 # The built-in trust anchors are provided for convenience of configuration.
 # They are not activated within named.conf unless specifically switched on.
 # To use the built-in root key, set "dnssec-validation auto;" in
 # named.conf options.  To use the built-in DLV key, set
 # "dnssec-lookaside auto;".  Without these options being set,
 # the keys in this file are ignored.
+#
 # This file is NOT expected to be user-configured.
+#
-# These keys are current as of January 2011.  If any key fails to
+# These keys are current as of February 2017.  If any key fails to
 # initialize correctly, it may have expired.  In that event you should
 # replace this file with a current version.  The latest version of
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
 managed-keys {
 	# ISC DLV: See https://www.isc.org/solutions/dlv for details.
         # NOTE: This key is activated by setting "dnssec-lookaside auto;"
-        # in named.conf.
+	# NOTE: The ISC DLV zone is being phased out as of February 2017;
 	# the key will remain in place but the zone will be otherwise empty.
 	# Configuring "dnssec-lookaside auto;" to activate this key is
 	# harmless, but is no longer useful and is not recommended.
 	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
 		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
 uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
 		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
 		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
 		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
 		TDN0YUuWrBNh";
-	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+	# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
 	# for current trust anchor information.
         # NOTE: This key is activated by setting "dnssec-validation auto;"
-        # in named.conf.
+	# These keys are activated by setting "dnssec-validation auto;"
 	# in named.conf.
+	#
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from
 	# the root zone.
 	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
 		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
 		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
 		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
 		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
 		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
 		QxA+Uk1ihz0=";
 	# This key (20326) is to be published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers
 	# being set up for the first time can use the contents of this
 	# file as initializing keys; thereafter, the keys in the
 	# managed key database will be trusted and maintained
 	# automatically.
 	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
 		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
 jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
 		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
 		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
 		R1AkUTV74bU=";
 };