mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
7045da6d6a
Add an 'initial-ds' entry to bind.keys for the new root key, ID 38696, scheduled for publication in January 2025. (cherry picked from commit 609bf35075868ceca1a39b003613317d7796e6dd)
60 lines
2.9 KiB
Plaintext
60 lines
2.9 KiB
Plaintext
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
# The bind.keys file is used to override the built-in DNSSEC trust anchors
|
|
# which are included as part of BIND 9. The only trust anchors it contains
|
|
# are for the DNS root zone ("."). Trust anchors for any other zones MUST
|
|
# be configured elsewhere; if they are configured here, they will not be
|
|
# recognized or used by named.
|
|
#
|
|
# To use the built-in root key, set "dnssec-validation auto;" in the
|
|
# named.conf options, or else leave "dnssec-validation" unset. If
|
|
# "dnssec-validation" is set to "yes", then the keys in this file are
|
|
# ignored; keys will need to be explicitly configured in named.conf for
|
|
# validation to work. "auto" is the default setting, unless named is
|
|
# built with "configure --disable-auto-validation", in which case the
|
|
# default is "yes".
|
|
#
|
|
# This file is NOT expected to be user-configured.
|
|
#
|
|
# Servers being set up for the first time can use the contents of this file
|
|
# as initializing keys; thereafter, the keys in the managed key database
|
|
# will be trusted and maintained automatically.
|
|
#
|
|
# These keys are current as of November 2024. If any key fails to
|
|
# initialize correctly, it may have expired. This should not occur if
|
|
# BIND is kept up to date.
|
|
#
|
|
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
|
|
# anchor information for the root zone.
|
|
|
|
trust-anchors {
|
|
# This key (20326) was published in the root zone in 2017, and
|
|
# is scheduled to be phased out starting in 2025. It will remain
|
|
# in the root zone until some time after its successor key has
|
|
# been activated. It will remain this file until it is removed
|
|
# from the root zone.
|
|
|
|
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
|
|
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
|
|
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
|
|
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
|
|
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
|
|
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
|
|
R1AkUTV74bU=";
|
|
# This key (38696) will be pre-published in the root zone in 2025
|
|
# and is scheduled to begin signing in late 2026. At that time,
|
|
# servers which were already using the old key (20326) should roll
|
|
# seamlessly to this new one via RFC 5011 rollover.
|
|
. initial-ds 38696 8 2 "683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A
|
|
4C0FB2B16";
|
|
};
|