trusted-keys Statement
trusted-keys {
[ domain_name number number number string; ]
};
trusted-keys
statement is for use with DNSSEC-style security, originally specified
in RFC 2065. DNSSEC is meant to
provide three distinct services: key distribution, data origin
authentication, and transaction and request authentication. A
complete description of DNSSEC and its use is beyond the scope of this
document, and readers interested in more information should start with
RFC 2065 and then continue with the
Internet Drafts.
Each trusted key is associated with a domain name. Its attributes are the non-negative integral flags, protocol, and algorithm, as well as a base-64 encoded string representing the key.
A trusted key is added when a public key for a non-authoritative zone is known, but cannot be securely obtained through DNS. This occurs when a signed zone is a child of an unsigned zone. Adding the trusted key here allows data signed by that zone to be considered secure.[ BIND Config. File | BIND Home | ISC ]