• Print
  • Share
  • Dark

DNSSEC Validation the Easy Way

  • Updated on 15 Oct 2018
  • 1 minute to read
  • Contributors 


You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest.


ISC BIND 9 (in all currently supported versions at the time of this writing) contains a built-in copy of the root zone KSK (key signing key). To activate validation using this trust anchor requires only one non-default setting in your named.conf options statement:

options { ... dnssec-validation auto; ... };

With that added, rndc reconfig and you are done.

Note when using multiple viewsThe dnssec-validation auto; option may also be set per view, where a view is providing recursive service. When sharing a cache among views with attach-cache, the option must be the same for all affected views.

How do I override the built-in trust anchor?Simply download this file: https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11. Save it as your bindkeys-file (default path/filename is "/etc/bind.keys"). If you have an incorrect or outdated managed-keys database in your named working directory (or as changed with the managed-keys-directory option), delete the files called managed-keys.bind and managed-keys.bind.jnl before starting named. (Yes, the 9.11 file version works for all later versions of BIND 9.)

Problems with this site? Email us at marketing@isc.org