clean up bind.keys

the comments in the bind.keys file were outdated; the file now only
exists to be converted into bind.keys.h and compiled into named and
delv.

some tests also referenced it, and have been cleaned up, since
the keys in it are already built into named.

diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2
index bc3e2fd87bdb8b923c741b138b4680ca36610ef2..7c21e734f2ee7641e32d7c0f03b0978540729399 100644 (file)
--- a/bin/tests/system/dnssec/ns4/named.conf.j2
+++ b/bin/tests/system/dnssec/ns4/named.conf.j2
@@ -37,13 +37,7 @@ options {
                dnssec-validation auto;
                bindkeys-file "managed.conf";
        {% else %}
-               # Note: We only reference the bind.keys file here to
-               # confirm that it is *not* being used.  It contains the
-               # real root key, and we're using a local toy root zone for
-               # the tests, so it wouldn't work.  But dnssec-validation
-               # is set to "yes" not "auto", so that won't matter.
                dnssec-validation yes;
-               bindkeys-file "../../../../../bind.keys";
        {% endif %}
 
        disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };

diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in
index fc16127ccb21a66a7ee91a0660219170f8c8dd9c..479686fdb2554f3d4f37fe42850704ef75d54512 100644 (file)
--- a/bin/tests/system/journal/ns1/named.conf.in
+++ b/bin/tests/system/journal/ns1/named.conf.in
@@ -21,7 +21,6 @@ options {
        listen-on { 10.53.0.1; };
        listen-on-v6 { none; };
        dnssec-validation auto;
-       bindkeys-file "../../../../../bind.keys";
        minimal-responses no;
        recursion no;
        notify yes;

diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in
index e0fd9d8295a3f6cf3a6fc8880d87633516db2ddc..2bf78fe4323da59364792a1cc6a054da692e92f0 100644 (file)
--- a/bin/tests/system/journal/ns2/named.conf.in
+++ b/bin/tests/system/journal/ns2/named.conf.in
@@ -21,7 +21,6 @@ options {
        listen-on { 10.53.0.2; };
        listen-on-v6 { none; };
        dnssec-validation auto;
-       bindkeys-file "../../../../../bind.keys";
        minimal-responses no;
        recursion no;
        notify yes;

diff --git a/bind.keys b/bind.keys
index dffbea5d6bc5a4ac6f429164eb4f7afe465e07aa..4cead78f16541afa5038bdcbd7da4041dee61222 100644 (file)
--- a/bind.keys
+++ b/bind.keys
@@ -9,27 +9,11 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-# The bind.keys file is used to override the built-in DNSSEC trust anchors
-# which are included as part of BIND 9.  The only trust anchors it contains
-# are for the DNS root zone (".").  Trust anchors for any other zones MUST
-# be configured elsewhere; if they are configured here, they will not be
-# recognized or used by named.
+# This file contains trust anchors for the DNS root zone (".") which are
+# compiled into named and delv. No other trust anchors can be configured
+# here.
 #
-# To use the built-in root key, set "dnssec-validation auto;" in the
-# named.conf options, or else leave "dnssec-validation" unset.  If
-# "dnssec-validation" is set to "yes", then the keys in this file are
-# ignored; keys will need to be explicitly configured in named.conf for
-# validation to work.  "auto" is the default setting, unless named is
-# built with "configure --disable-auto-validation", in which case the
-# default is "yes".
-#
-# This file is NOT expected to be user-configured.
-#
-# Servers being set up for the first time can use the contents of this file
-# as initializing keys; thereafter, the keys in the managed key database
-# will be trusted and maintained automatically.
-#
-# These keys are current as of November 2024.  If any key fails to
+# These keys are current as of October 2025.  If any key fails to
 # initialize correctly, it may have expired. This should not occur if
 # BIND is kept up to date.
 #