Updating of DNS Validating Resolvers with

the Latest Trust Anchor:

Procedure:
To test whether or not the resolver you operate is doing DNSSECvalidation, you can use the special

domain "dnssec-failed.org" that is operated as a public service by Comcast. This special domain will

cause validating resolvers to purposely fail to give an answer. Give the following command at a shell

command line:

dig @ADDRESS dnssec-failed.org a +dnssec

In that command, replace the string ADDRESS with the IPv4 or IPv6 address of the resolver you
operate.
If the response includes the following:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL

Then the resolver is doing DNSSEC validation. (The status indication of SERVFAIL here
indicates that the validation failed, which means that the validation is in fact happening.)

If instead the response includes the following:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR

then the resolver is not doing DNSSEC validation.

BIND
First check that DNSSEC validation is set in your configuration file. You should see a
line in the optionssection that says either dnssec-validation auto; or dnssec-
validation yes;. If you have dnssec-validation set to auto, you do not need to
update your software or configuration. You simply need to restart your software, using
whatever command you normally use to stop and start BIND; this will bring in the latest
trust anchors for dnssec-validation auto.

If your configuration shows dnssec-validation yes;, you must change it to dnssec-

validation auto; and restart your server before taking the steps below.
If you can update your software:

1. Update to the latest sub-version of BIND 9.9, BIND 9.10, or BIND 9.11 using
whatever method you used to install the software. If you are running BIND 9.8, it is no
longer supported software, and you need to update to BIND 9.9 or later. You want a
sub-version of at least:

 BIND 9.9.10

 BIND 9.10.5

 BIND 9.11.1

2. In your configuration file, be sure that the options section has a line that
says dnssec-validation auto;.

3. Stop the old version of BIND and start the new version, using whatever command you
normally use to stop and start BIND.

If you cannot update your software:

1. Update the bind.keys file to include the new trust anchor. The bind.keys file
should be stored in the same directory that BIND's other files are created.
Alternatively, if your named.conf file has a managed-keys section that lists the
trust anchors, you can update that section. The revised file or configuration
section should contain the following:

managed-keys {
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";

. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3

+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};
If the configuration has dnssec-validation set to auto, the contents of
the bind.keys file will be combined with the the contents of the managed-keys block in
the configuration.

For more information please visit https://www.icann.org/dns-resolvers-updating-latest-trust-anchor