In message , "Mukund Sivaraman via RT" writes: > Warren Kumari asked today (IETF meeting) that we warn whenever we notice a tr > usted-keys option in config, that it is a fixed trust anchor and that users s > hould ideally be using managed-keys. > > I asked him (and Jim Martin who was sitting next to him) if he expected BIND > to warn just for the root or for any trust point and he said it should be any > . > > From a previous discussion at ICANN with him, I think he fears that many BIN > D tutorials from history have described using trusted-keys, and so, many user > s have resolvers setup with use trusted-keys in config. managed-keys are for keys where the adminstrator has stated they they are using RFC 5011. I know of exactly two of these. The root and dlv.isc.org. Warning for "." and "dlv.isc.org" when they match the built-in managed keys would be appropriate. Warning for keys in both trusted-keys and managed-key would be appropriate. Anything else should not be flagged. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org