From: Evan Hunt Date: Sat, 11 Oct 2025 00:41:07 +0000 (-0700) Subject: clean up bind.keys X-Git-Tag: v9.21.15~70^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15b0ff5036fd5a9a26458e965e2cfbe523905317;p=thirdparty%2Fbind9.git clean up bind.keys the comments in the bind.keys file were outdated; the file now only exists to be converted into bind.keys.h and compiled into named and delv. some tests also referenced it, and have been cleaned up, since the keys in it are already built into named. --- diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2 index bc3e2fd87bd..7c21e734f2e 100644 --- a/bin/tests/system/dnssec/ns4/named.conf.j2 +++ b/bin/tests/system/dnssec/ns4/named.conf.j2 @@ -37,13 +37,7 @@ options { dnssec-validation auto; bindkeys-file "managed.conf"; {% else %} - # Note: We only reference the bind.keys file here to - # confirm that it is *not* being used. It contains the - # real root key, and we're using a local toy root zone for - # the tests, so it wouldn't work. But dnssec-validation - # is set to "yes" not "auto", so that won't matter. dnssec-validation yes; - bindkeys-file "../../../../../bind.keys"; {% endif %} disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; }; diff --git a/bin/tests/system/journal/ns1/named.conf.in b/bin/tests/system/journal/ns1/named.conf.in index fc16127ccb2..479686fdb25 100644 --- a/bin/tests/system/journal/ns1/named.conf.in +++ b/bin/tests/system/journal/ns1/named.conf.in @@ -21,7 +21,6 @@ options { listen-on { 10.53.0.1; }; listen-on-v6 { none; }; dnssec-validation auto; - bindkeys-file "../../../../../bind.keys"; minimal-responses no; recursion no; notify yes; diff --git a/bin/tests/system/journal/ns2/named.conf.in b/bin/tests/system/journal/ns2/named.conf.in index e0fd9d8295a..2bf78fe4323 100644 --- a/bin/tests/system/journal/ns2/named.conf.in +++ b/bin/tests/system/journal/ns2/named.conf.in @@ -21,7 +21,6 @@ options { listen-on { 10.53.0.2; }; listen-on-v6 { none; }; dnssec-validation auto; - bindkeys-file "../../../../../bind.keys"; minimal-responses no; recursion no; notify yes; diff --git a/bind.keys b/bind.keys index dffbea5d6bc..4cead78f165 100644 --- a/bind.keys +++ b/bind.keys @@ -9,27 +9,11 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -# The bind.keys file is used to override the built-in DNSSEC trust anchors -# which are included as part of BIND 9. The only trust anchors it contains -# are for the DNS root zone ("."). Trust anchors for any other zones MUST -# be configured elsewhere; if they are configured here, they will not be -# recognized or used by named. +# This file contains trust anchors for the DNS root zone (".") which are +# compiled into named and delv. No other trust anchors can be configured +# here. # -# To use the built-in root key, set "dnssec-validation auto;" in the -# named.conf options, or else leave "dnssec-validation" unset. If -# "dnssec-validation" is set to "yes", then the keys in this file are -# ignored; keys will need to be explicitly configured in named.conf for -# validation to work. "auto" is the default setting, unless named is -# built with "configure --disable-auto-validation", in which case the -# default is "yes". -# -# This file is NOT expected to be user-configured. -# -# Servers being set up for the first time can use the contents of this file -# as initializing keys; thereafter, the keys in the managed key database -# will be trusted and maintained automatically. -# -# These keys are current as of November 2024. If any key fails to +# These keys are current as of October 2025. If any key fails to # initialize correctly, it may have expired. This should not occur if # BIND is kept up to date. #