1 #pragma once 2 #define TRUST_ANCHORS "\ 3 # Copyright (C) Internet Systems Consortium, Inc. (\"ISC\")\n\ 4 #\n\ 5 # SPDX-License-Identifier: MPL-2.0\n\ 6 #\n\ 7 # This Source Code Form is subject to the terms of the Mozilla Public\n\ 8 # License, v. 2.0. If a copy of the MPL was not distributed with this\n\ 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/.\n\ 10 #\n\ 11 # See the COPYRIGHT file distributed with this work for additional\n\ 12 # information regarding copyright ownership.\n\ 13 \n\ 14 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\ 15 # which are included as part of BIND 9. The only trust anchors it contains\n\ 16 # are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\ 17 # be configured elsewhere; if they are configured here, they will not be\n\ 18 # recognized or used by named.\n\ 19 #\n\ 20 # To use the built-in root key, set \"dnssec-validation auto;\" in the\n\ 21 # named.conf options, or else leave \"dnssec-validation\" unset. If\n\ 22 # \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\ 23 # ignored; keys will need to be explicitly configured in named.conf for\n\ 24 # validation to work. \"auto\" is the default setting, unless named is\n\ 25 # built with \"configure --disable-auto-validation\", in which case the\n\ 26 # default is \"yes\".\n\ 27 #\n\ 28 # This file is NOT expected to be user-configured.\n\ 29 #\n\ 30 # Servers being set up for the first time can use the contents of this file\n\ 31 # as initializing keys; thereafter, the keys in the managed key database\n\ 32 # will be trusted and maintained automatically.\n\ 33 #\n\ 34 # These keys are current as of November 2024. If any key fails to\n\ 35 # initialize correctly, it may have expired. This should not occur if\n\ 36 # BIND is kept up to date.\n\ 37 #\n\ 38 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ 39 # anchor information for the root zone.\n\ 40 \n\ 41 trust-anchors {\n\ 42 # This key (20326) was published in the root zone in 2017, and\n\ 43 # is scheduled to be phased out starting in 2025. It will remain\n\ 44 # in the root zone until some time after its successor key has\n\ 45 # been activated. It will remain this file until it is removed\n\ 46 # from the root zone.\n\ 47 \n\ 48 . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ 49 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ 50 ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\ 51 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\ 52 oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\ 53 RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\ 54 R1AkUTV74bU=\";\n\ 55 # This key (38696) will be pre-published in the root zone in 2025\n\ 56 # and is scheduled to begin signing in late 2026. At that time,\n\ 57 # servers which were already using the old key (20326) should roll\n\ 58 # seamlessly to this new one via RFC 5011 rollover.\n\ 59 . initial-ds 38696 8 2 \"683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A\n\ 60 4C0FB2B16\";\n\ 61 };\n\ 62 " 63