Current Root Trust Anchors (bind.keys)

The DNS root key is being updated.

The rollover includes multiple steps. The process began in 2017, and will continue through 2019.

Key dates are:

  • October 27, 2016: KSK rollover process begins as the new KSK is generated.
  • July 11, 2017: Publication of new KSK in DNS.
  • September 19, 2017: Size increase for DNSKEY response from root name servers.
  • October 11, 2018: New KSK begins to sign the root zone key set (the actual rollover event).
  • January 11, 2019: Revocation of old KSK.
  • March 22, 2019: Last day the old KSK appears in the root zone.
  • August 2019: Old key is deleted from equipment in both ICANN Key Management Facilities.

For more information, see this ISC blog or the ICANN web site.

Where can I find the current copy of bind.keys?

All versions of BIND since 9.8.x use the same bind-keys.  The current copy of the bind.keys file can be found on our ftp site:

How is the bind.keys file used?

When named starts, it needs certain information before it can respond to recursive queries, such as how to reach the root servers. If named is configured to do DNSSEC validation, it also needs to have starting trust anchors. While all of this information is configurable via the named.conf file, ISC has tried to make the configuration files simpler by compiling in this information so that it doesn’t have to be set in the named.conf file.
For root hints (initial priming of root servers), BIND 9 has had this for years. If you don’t put a hints file in named.conf, named will use the compiled in hints.
Configuring trust anchors for DNSSEC validation has required added trusted-keys statements explicitly into the named.conf file. ISC provides a bind.keys file that contains the root key and the DLV key.  (note that the DLV has been decommissioned and we recommend updating resolver configurations that query the DLV)

For Current Releases (BIND 9.11 and higher):

  • If you configure your own managed-keys statement in named.conf, this will take precedence.
  • If you put “dnssec-validation auto” in named.conf, named will read the root key from bind.keys the first time it executes.
  • If you don’t have anything in named.conf and there is no bind.keys file, named will use the compiled in keys.

Note: these are managed keys, so this is only applies the first time you execute named. Assuming that the keys are not already expired (in which case named will log that the key is expired and validation will not work), named will use RFC 5011 to detect new keys and automatically roll and maintain keys. Once named is managing the keys, the current keys will be in managed-keys.bind or *.mkeys, if you use views.

Earlier versions of BIND

BIND 9.6 and 9.7 included bind.keys files with the same keys in a slightly different format. We are not providing updated bind.keys files for these releases as they are well past end-of-life. If you are using them, we recommend upgrading to a supported version.

Last modified: October 14, 2018 at 8:45 am