On Tue, Feb 24, 2009 at 09:53:56PM +0100, Kurt Roeckx wrote: > Package: bind9 > Severity: wishlist > > Hi, > > It would be nice if dnssec was enabled by default. > > I would also like to see itar (https://itar.iana.org/) and > dlv (https://www.isc.org/solutions/dlv) to be enabled > by default.
So the root zone has been signed now. And it would be nice
if you could add that to the package. As far as I can tell, this
should get added to the config file:
managed-keys {
"." initial-key 257 3 8 "
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0= ";
};
You can find this key in the root.zone.signed on
ftp://ftp.internic.net/domain/
The SHA-256 sum is also available at
http://data.iana.org/root-anchors in root-anchors.xml
You can verify the SHA-256 sum with dnssec-dsfromkey
I've also added "dnssec-lookaside auto;" in the options.
Kurt
signature.asc
Description: Digital signature
