-
Print
-
DarkLight
-
PDF
9.16 DNSSEC validation automatic trust anchor management
When upgrading to BIND 9.16 from 9.11 - the two current active releases - you might wonder what this log message means:
named[xxx]: dnssec: warning: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period
As the message suggests, it is to do with trust anchors for DNSSEC. But what is automatic management and why am I only seeing it now?
Trust anchors are the public keys associated with the private keys used to sign a zone: the public keys are held as a DNSKEY RRset in the zone. If DNSSEC validation is required on a recursive server, then when BIND starts up it needs to establish a trust anchor for the root zone, which can be done in one of two ways:
- A
trust-anchors
statement can be added into named.conf manually. For this you will need to obtain a guaranteed genuine version of the root key because this becomes the basis on which all validation is done. Having done this, in named.conf set the parameterdnssec-validation
toyes
, which was the default before BIND 9.13. - In
named.conf
set the parameterdnssec-validation
toauto
, which is the new default since BIND 9.13. This causes BIND to use the procedures defined in RFC 5011 to obtain the key automatically. It is this process that generates the warning message highlighted above.
The default was changed from yes
to auto
in 9.13 to bring BIND more in line with global standards, making it a fully validating resolver 'out of the box'.
The value auto
may not be appropriate in all cases: for example for an internal-only recursive server that cannot obtain the root DNSKEY RRset for itself. In this case, set dnssec-validation
to yes
(the old default) and add trust-anchors
manually.
With manually added trust anchors you have the choice of defining them as a static-key
or an initial-key
.
static-key
is appropriate for a server that cannot reach the Internet, e.g. an internal resolver, as mentioned above. This key is always trusted and needs to be maintained by hand when the value of the public key in the Internet changes.
initial-key
is trusted once, at boot time. After that, automatic key updates occur using the same mechanism as setting dnssec-validation
to auto
and therefore requires that the server has Internet access. In practice, using auto
would be the easier choice.
Even if a BIND server is built with the intention of it being authoritative-only (i.e. configuring recursion no
in options
) it will still perform automatic trust anchor updates by default. To disable DNSSEC validation completely, set dnssec-validation
to no
. This allows it to be changed at a later date, if required.
If you wish to build BIND yourself from source, the default can be changed from auto
back to yes
at build time by using the configure option --disable-auto-validation
.
Further reading material on the subject of DNSSEC can be found in the following resources:
The BIND 9 ARM chapter on DNSSEC
DNSSEC validation - how can I tell if my server is doing it?