Subject: named doesn't fall back to built-in keys if bind.keys is empty MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Disposition: inline X-RT-Interface: Web Message-ID: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 X-RT-Encrypt: 0 X-RT-Sign: 0 Content-Length: 389 If bind.keys is missing, named falls back to using built-in keys for dnssec-validation (and currently lookaside) auto. However, if bind.keys exists but is empty, then named doesn't fall back; it just treats it as an empty trust anchor configuration and runs without validating. It should detect the absence of the key it wanted and either fall back to built-in, or log an error and exit.