Current Keys

This page lists the current keys / DS records.

If you want to test your implementation against this server, you will need to tell it that this server is the DNS Root and what the current (fake) root key is. This information is below.

I have also included an example config file (named.conf) for testing with ISC BIND, I will add additional example config files in the future. If you would like an example for your implementation added, please email me an example.

Raw Information

Root server IP
Current Key ID 10411
Current Key DS . IN DS 10411 8 2 A513E3FF31AE89DFEBB44308F80E9539C93A59E9CA63E74FF1901A8C8C264003
Current Key 257 3 8 AwEAAd969+oFpfSsrA8hLqzJGBwHFZIBahguEJe0/GQubGlqkvgu4mo6 //z4MXUbpjS58rbnx7IjBuNvdguOOrXiUObUYLyxB/zhhGu0dDIYm557 VstJi7mFr8MTtYgyRwbkDxUWCcLJY7F8MFwuZ7ZfAOcOYMTTGIhekmrn yFm6D0EuRBIyooXF/T/VYf5KAOi4kiZPVYcOZ5X6B3h5U6aoQDctUHUP XnT8Q3TgMfuw1W4OcEqFyrRVGy0iIENWI2N2zxyEBqKxyUcZ9zqlblnG TeBvvJreI6so1YHWG5LPz3mBHbsrvQGG0LCx2wCHAEoaiHCNBMN0qLAk zRebepukD+s=
Key file K.+008+10411.key

Example BIND Config

Note: When using this config file you will probably need to delete /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys* every time you restart BIND after missing a keyroll.
Thus sayeth the BIND 9.8.0-P4, Chapter 6, "managed-keys Statement Grammar":

The first time named runs with a managed key configured in named.conf, it fetches the DNSKEY RRset directly from the zone apex, and validates it using the key specified in the managed-keys statement. If the DNSKEY RRset is validly signed, then it is used as the basis for a new managed keys database. From that point on, whenever named runs, it sees the managed-keys statement, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The key specified in the managed-keys is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database.

// BIND named.conf file for RFC5011 style keyroll testing.
// NOTE: 
// This is an example named.conf file to test RFC5011 style key rollovers.
// It is NOT useful for general purposes. 

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named.memstats";

        zone-statistics yes;

        // We need to allow recursion so that we can actually query the root.
	recursion yes;

	// Not much point without doing DNSSEC :-P
	dnssec-enable yes;
        dnssec-validation yes;  # enable DNSSEC validation

	auth-nxdomain no;    # conform to RFC1035
	listen-on {; };


# // Root key.
managed-keys {
      . initial-key 257 3 8 "AwEAAd969+oFpfSsrA8hLqzJGBwHFZIBahguEJe0/GQubGlqkvgu4mo6
zRebepukD+s="; }; view "recursive" IN { match-clients { any; }; allow-query { any; }; recursion yes; allow-recursion { any; }; // prime the server with the RFC5011 Key roll server. zone "." { type hint; file "/tmp/keyroller/db.root"; }; }; // End of recursive view.

Example Unbound Config

Note: Thanks to Jakob Schlyter for this config.
He has created a nifty toolset at to download the key, put it in the right format, etc. It comes with config files for Unbound and BIND, and makes using this simpler and easier!

More info in the file.

When using this config file, you will need to put the trust anchor in /var/tmp/keyroll-unbound/keyroll-systems-root.key and the root hints in /var/tmp/keyroll-unbound/ Jakob's scripts / Makefile does all this for you...

# unbound.conf

	verbosity: 1

	statistics-interval: 10
	extended-statistics: yes

	logfile: ""
	username: ""
	chroot: ""

	root-hints: "/var/tmp/keyroll-unbound/"
	auto-trust-anchor-file: "/var/tmp/keyroll-unbound/keyroll-systems-root.key"
	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
	# add-holddown: 2592000 # 30 days

	# instruct the auto-trust-anchor-file probing to del anchors after ttl.
	# del-holddown: 2592000 # 30 days

	# auto-trust-anchor-file probing removes missing anchors after ttl.
	# If the value 0 is given, missing anchors are not removed.
	# keep-missing: 31622400 # 366 days

	control-enable: yes

Fake root.db

We create a fake root zone, both so that we can sign it, and so that we can make our recursive server believe that we know everything that there is to know about the world.

Please note: This is a fake version of the root, only for testing. It only knows about 2 TLDs, .invalid and .example. Using this in the real world will not work!

; A fake root zone for RFC5011 testing.
; This fake root zone file exists purely for testing RFC5011 implmentations. 
; Trying to use this to actually resolve names simply won't work (unless you 
; get your jollies by only looking up 4 TXT records!)

$TTL 900	; We make the TTL be 15 minutes - this way we will get >1 request during the 1h keyroll time.

.			IN SOA	mname.invalid. ns.invalid. (
				42         ; serial
				3600       ; refresh (1 hour)
				3600       ; retry (1 hour)
				1814400    ; expire (3 weeks)
				3600       ; minimum (1 hour)

.             		NS	ns.root.
ns.root.                A

invalid.                NS      ns.invalid.
ns.invalid.             A

example.                NS      ns.example.
ns.example.             A

.            TXT     "This is the example root zone"

This system written and maintained by Warren Kumari ( Feel free to contact with any questions / issues.