| @@ -1,47 +1,70 @@ | | | @@ -1,47 +1,70 @@ |
1 | /* $NetBSD: bind.keys,v 1.1 2013/04/25 17:02:29 christos Exp $ */ | | 1 | /* $NetBSD: bind.keys,v 1.1.14.1 2018/03/10 16:11:45 snj Exp $ */ |
2 | /* Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp */ | | | |
3 | # The bind.keys file is used to override the built-in DNSSEC trust anchors | | 2 | # The bind.keys file is used to override the built-in DNSSEC trust anchors |
4 | # which are included as part of BIND 9. As of the current release, the only | | 3 | # which are included as part of BIND 9. As of the current release, the only |
5 | # trust anchors it contains are those for the DNS root zone ("."), and for | | 4 | # trust anchors it contains are those for the DNS root zone ("."), and for |
6 | # the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors | | 5 | # the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors |
7 | # for any other zones MUST be configured elsewhere; if they are configured | | 6 | # for any other zones MUST be configured elsewhere; if they are configured |
8 | # here, they will not be recognized or used by named. | | 7 | # here, they will not be recognized or used by named. |
9 | # | | 8 | # |
10 | # The built-in trust anchors are provided for convenience of configuration. | | 9 | # The built-in trust anchors are provided for convenience of configuration. |
11 | # They are not activated within named.conf unless specifically switched on. | | 10 | # They are not activated within named.conf unless specifically switched on. |
12 | # To use the built-in root key, set "dnssec-validation auto;" in | | 11 | # To use the built-in root key, set "dnssec-validation auto;" in |
13 | # named.conf options. To use the built-in DLV key, set | | 12 | # named.conf options. To use the built-in DLV key, set |
14 | # "dnssec-lookaside auto;". Without these options being set, | | 13 | # "dnssec-lookaside auto;". Without these options being set, |
15 | # the keys in this file are ignored. | | 14 | # the keys in this file are ignored. |
16 | # | | 15 | # |
17 | # This file is NOT expected to be user-configured. | | 16 | # This file is NOT expected to be user-configured. |
18 | # | | 17 | # |
19 | # These keys are current as of January 2011. If any key fails to | | 18 | # These keys are current as of February 2017. If any key fails to |
20 | # initialize correctly, it may have expired. In that event you should | | 19 | # initialize correctly, it may have expired. In that event you should |
21 | # replace this file with a current version. The latest version of | | 20 | # replace this file with a current version. The latest version of |
22 | # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. | | 21 | # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. |
23 | | | 22 | |
24 | managed-keys { | | 23 | managed-keys { |
25 | # ISC DLV: See https://www.isc.org/solutions/dlv for details. | | 24 | # ISC DLV: See https://www.isc.org/solutions/dlv for details. |
26 | # NOTE: This key is activated by setting "dnssec-lookaside auto;" | | 25 | # |
27 | # in named.conf. | | 26 | # NOTE: The ISC DLV zone is being phased out as of February 2017; |
| | | 27 | # the key will remain in place but the zone will be otherwise empty. |
| | | 28 | # Configuring "dnssec-lookaside auto;" to activate this key is |
| | | 29 | # harmless, but is no longer useful and is not recommended. |
28 | dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 | | 30 | dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 |
29 | brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ | | 31 | brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ |
30 | 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 | | 32 | 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 |
31 | ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk | | 33 | ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk |
32 | Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM | | 34 | Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM |
33 | QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt | | 35 | QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt |
34 | TDN0YUuWrBNh"; | | 36 | TDN0YUuWrBNh"; |
35 | | | 37 | |
36 | # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml | | 38 | # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml |
37 | # for current trust anchor information. | | 39 | # for current trust anchor information. |
38 | # NOTE: This key is activated by setting "dnssec-validation auto;" | | 40 | # |
39 | # in named.conf. | | 41 | # These keys are activated by setting "dnssec-validation auto;" |
| | | 42 | # in named.conf. |
| | | 43 | # |
| | | 44 | # This key (19036) is to be phased out starting in 2017. It will |
| | | 45 | # remain in the root zone for some time after its successor key |
| | | 46 | # has been added. It will remain this file until it is removed from |
| | | 47 | # the root zone. |
40 | . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF | | 48 | . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
41 | FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX | | 49 | FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
42 | bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD | | 50 | bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
43 | X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz | | 51 | X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
44 | W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS | | 52 | W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
45 | Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq | | 53 | Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
46 | QxA+Uk1ihz0="; | | 54 | QxA+Uk1ihz0="; |
| | | 55 | |
| | | 56 | # This key (20326) is to be published in the root zone in 2017. |
| | | 57 | # Servers which were already using the old key (19036) should |
| | | 58 | # roll seamlessly to this new one via RFC 5011 rollover. Servers |
| | | 59 | # being set up for the first time can use the contents of this |
| | | 60 | # file as initializing keys; thereafter, the keys in the |
| | | 61 | # managed key database will be trusted and maintained |
| | | 62 | # automatically. |
| | | 63 | . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 |
| | | 64 | +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv |
| | | 65 | ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF |
| | | 66 | 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e |
| | | 67 | oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd |
| | | 68 | RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN |
| | | 69 | R1AkUTV74bU="; |
47 | }; | | 70 | }; |