Spain, Dr. Jeffry A. wrote:
>
> Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com)
> doesn't appear to offer DNSSEC validation, and 78.46.213.227
> (rms.coozila.com) doesn't respond to my query at all.
It's worse than that. Google Public DNS doesn't support DNSSEC at all, so
Samer Khattab wrote:
> What is BIND internal logic when such a series of queries are received, and
> why it would not answer to all requests.
Each query in progress from a given client must have a different ID, so
queries with the same ID are logically the same query which only needs one
reply.
William Thierry SAMEN wrote:
>
> I'm triying to sign a zone on Bind 9.8-P1 but i have this message:
>
> *dnssec-signzone: fatal: key myKSK.key not at origin*
It means the zone name in the key is not the same as the zone you are
signing.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Rockall, Ma
William Thierry SAMEN wrote:
>
> My file zone:
Er this looks like a key file, not a zone file. The key has been generated
incorrectly: it has a file name where the zone name should be.
> ; This is a zone-signing key, keyid 12762, for *../etc/toto.com.*
> ; Created: 20120207101131 (Tue Feb 7 11:
William Thierry SAMEN wrote:
>
> dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at
> top of zone
> dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at
> top of zone
This is because your zone uses an include directive to import the key
files, an
Chris Thompson wrote:
>
> More directly, http://www.cs.indiana.edu/classes/b649-gupt/kangLiNDSS12.pdf
>
> This is definitely worth reading, being an interesting new twist on a
> fairly old theme.
Paul Vixie was trying to do something about risks in this area a couple of
years ago: http://tools.ie
Florian Weimer wrote:
>
> Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does
> not extend too far into the future?
It depends on the TTL of the DS record or its proof of nonexistence.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
North FitzRoy, Sole: Northerly or northweste
Melbinger Christian wrote:
>
> Does anyone know if there is a way to prevent the creation of certain
> records - by name?
http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies
Based on that, something the following should do what you want:
update-policy {
dE . wrote:
> Firstly, where do we get the public key for the DS records?
A zone's DNSKEY RRset contains its public keys, and these are hashed to
make its DS records. For example,
$ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1
dE . wrote:
>
> Ok, so the DS record is not encrypted.
DNSSEC is about signatures: nothing is encrypted. DS records are signed:
a DS RRset has an RRSIG. For example,
; <<>> DiG 9.8.1-P1 <<>> +multi +dnssec DS isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: N
Spain, Dr. Jeffry A. wrote:
> Which of these alternative empty zones should be used in the current DNS
> environment and why?
In my named.conf I have set up empty zones for the whole of 240/4. I view
RFC 6303 as the minimum necessary for a hygienic name server, but there
are a number of other pe
Spain, Dr. Jeffry A. wrote:
>
> Would you please elaborate on how you are managing your bogon-related
> empty zones.
I have bogon declarations and empty zones for all the ranges listed in RFC
5735 except 224.0.0.0/4 which only has a bogon declaration. (The multicast
addresses shouldn't be used fo
Jon A. wrote:
> Is there a better practice to serve 100% the same authoritative data
> in two views, but block recursion, cache use, and out of zone data?
Don't use views, use allow-query and allow-recursion ACLs.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Plymouth, Biscay, FitzRoy: Northe
nsdiff is a small perl program that examines old and new versions of a DNS
zone and outputs the differences as a script for use by BIND's nsupdate
program. It bridges the gap between static master files and dynamic
updates.
I have published version 1.39 which has a new -q quiet / quick check
optio
Jan-Piet Mens wrote:
>
> From a Comcast talk at SATIN 2012 I believe they called that a "negative
> trust anchor", and IIRC, the author wanted to publish a draft of its
> operation.
http://tools.ietf.org/html/draft-livingood-negative-trust-anchors
There has been a lot of discussion on the IETF d
wbr...@e1b.org wrote:
> We are authoritative for a few dozen small zones. Is it possible to use
> the same KSK for all of them? I can see where if it gets compromised we
> would need to resign all zones using the KSK at once. How much effort
> would I be saving sharing the KSK?
With BIND it i
Augie Schwer wrote:
>
> I have a range of IPs bound to a local interface:
>
> lo:1 Link encap:Local Loopback
> inet addr:10.0.0.1 Mask:255.255.255.224
>
> And I want to convince Bind to listen on sub-set of the given range (
> 10.0.0.2 for example )
You can't do that without hacki
cloud cache wrote:
>
> How to use nsupdate to dynamic update the SOA records?
> For example, I want to update the zone's contact email and main NS server
> name.
Like this:
$ dig +noall +answer soa fanf2.ucam.org
fanf2.ucam.org. 3600IN SOA black.dotat.at. dot.dotat.at.
40 3
Chris Thompson wrote:
> Our regular DNS changes (via [scripted] nsupdate) always add the SOA
> explicitly (it's going to change anyway, after all), setting the serial
> to the Unix time(2) value. BIND may have been incrementing the serial
> itself as a result of re-signing activity, but we assume
Lyle Giese wrote:
>
> Don't use host. It's not telling us what is going wrong and it's only doing
> an A record lookup of host name.
I agree dig is better for serious debugging, but for a quick check host
isn't as bad as you suggest.
$ host dotat.at
dotat.at has address 212.13.197.229
dotat.at
zhanglikun wrote:
>
> So my question is why bind9 do like that?
QTYPE=ANY is a special debugging facility. It just returns what is in the
cache, and only makes a query to the authoritative server when there in
nothing cached.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Cromarty: Cyclonic bec
Gaurav Kansal wrote:
> DNSSEC is done on Authoritative side.
Signing is done on authority servers. It's straightforward with
inline-signing mode, or if you maintain your zone with dynamic updates.
> Caching DNS only check whether that particular domain is signed or not,
> only if that caching D
Barry Margolin wrote:
>
> [Validation is] only untroublesome until someone screws things up on
> their auth server. When one of your users can't access something.gov,
> they'll complain to YOU, even though it's mostly out of your hands.
>
> This is true for other problems on auth servers as well,
wbr...@e1b.org wrote:
>
> So how do we implement one? Create a separate caching server with DNSSEC
> validation turned off and forward all queries for the broken domain to it?
That won't work, because a validating server validates replies from a
forwarding server.
Tony.
--
f.anthony.n.finch
Sam Wilson wrote:
>
> Is a name on the RHS of an RR regarded as existing enough to prevent
> wildcard lookup?
No, only RR owner names.
> In this I would have expected the NS lookup to be followed by an A
> lookup for abc.a.example.com which would match the wildcard, assuming no
> other records m
Sam Wilson wrote:
>
> Not I - another poster.
Sorry!
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty, Forth, Tyne, Dogger: Northwest 5 to 7, occasionally 4 in
Forth and Tyne. Moderate or rough, occasionally very rough in Forties and
Dogger. Showers. Good, occasionally moderate.
Axel Rau wrote:
>
> The tags of the KSKs with their dates are (set with dnssec-settime):
> ---
> [framail.de/KSK/1699/8(A:2012-05-23T17:55:02, I:2012-05-27T17:55:02,
> D:2012-05-28T17:55:02)]
> [framail.de/KSK/46210/8(A:2012-05-20T16:55:03, I:2012-05-24T16:55:03,
> D:2012-05-25T16:55:03)]
> ---
Not sure if this is a BIND question or a standards question.
I'm experimenting with some stats gathering. To get the zone of a domain
name I'm making a SOA query, which will either return a positive answer
(if the domain is a zone apex) or a negative answer with the enclosing
zone's SOA in the aut
Mark Andrews wrote:
> See draft-andrews-soa-discovery-02.txt and zero-no-soa-ttl
Thanks!
Tony.
--
f.anthony.n.finchhttp://dotat.at/
North Irish Sea: Easterly becoming cyclonic later, 5 to 7. Slight or moderate
becoming moderate or rough. Occasional rain, fog patches. Moderate,
occasi
Phil Mayers wrote:
>
> I'm wondering if anyone knows of a script that will process our logs looking
> for "refused" queries, and then post-process these by tracing the delegations
> and telling me what the nearest enclosing zone is, the NS records that led
> inbound queries to us, and (if any of t
Marian Röß wrote:
>
> That is what bothers me. Even the debug messages show, that a change is
> detected and the zone is loaded into the database.
Are you running one copy of named on the server?
It might be that you have an old instance of the server running and
serving the old zone, and a new
Holemans Wim wrote:
>
> I have 2 questions, one, is there a way to rate-limit the amount of
> request a single client (the AD servers in this case) can have standing
> out against a bind server ? Kind of rate-limiting parameter for bind
> name server.
There isn't a way to do this in BIND. If you
Mark Andrews wrote:
> In message <4fdf631a.4060...@brandeis.edu>, John Miller writes:
> >
> > We've actually run into this before. Once upon a time, RCN cable used
> > to run some slave servers for us, but we've long since moved away from
> > them, including zone transfers. We yanked them from o
Spain, Dr. Jeffry A. wrote:
>
> My experience with changing the timing metadata or removing the key
> files is that named issues a warning like the following: zone /IN:
> Key // missing or inactive and has no
> replacement: retaining signatures. In this circumstance none of the
> RRSIGs or NSECs a
It looks to me like this is an EDNS bug. I am querying the authoritative
server directly, with no firewalls in the way. The FORMERR is coming from
the authoritative server not from BIND. I get the same result over IPv4
and IPv6.
They also have a bug in their NXDOMAIN logic: extranet.microsoft.com
Carsten Strotmann (private) wrote:
>
> The FORMERR I'm seeing is also quite odd, as it has the "AD" flag set,
> which should normally not appear in an error type of response, but
> might be caused by a mangled DNS packet:
I think it is echoing the AD bit in the query.
; <<>> DiG 9.9.1-P1 <<>> +
pangj wrote:
>
> DNS is very easy to be attacked.
> My named service got 1G or more traffic of attack some time.
> How can we take some steps to prevent them?
Incoming or outgoing? A number of people have been having this problem
recently. You might want to join the dns-operations list:
https://
Rafael Molina wrote:
> > I don´t find the ways to limit of queries per minutes on this customer
> > Is it possible in Bind9 a filtering these queries, to limit the responses ?
There is a patch for BIND which can help:
http://www.redbarn.org/dns/ratelimits
Tony.
--
f.anthony.n.finchhttp://
Danny Horne wrote:
>
> I currently run two Bind 9.9.* nameservers (details below), I've just
> added a slave zone to the Windows one, the Linux one being the master.
> The zone transferred, however, seems to be corrupt in that when opened
> in Notepad it contains what I can only describe as gobbl
Marc Lampo wrote:
>
> you are aware that Windows DNS service understands DNSSEC algorithm 5
> (RSA/SHA-1 – NSEC) at most ?
Carsten Strotmann's post says Windows Server 2012 fixes this limitation
http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns
Tony.
--
f.anthony.n
Ben wrote:
>
> We run bind as caching only dns server for our customers. In logs, i can
> see so many entries which tells
>
> success resolving 'x.y.z/A' (in '.'?) after disabling EDNS
>
> How to check that current bind installation has EDNS enabled or ?
> what could be reason behind it?
BIND has
Cathy Almond wrote:
>
> https://kb.isc.org/article/AA-00708/55/Why-does-BIND-log-messages-about-disabling-EDNS-or-reducing-the-advertised-packet-size
>
> (Just created, so apologies if there are any typos or other editorial
> corrections needed - they will happen later)
I suggest "middlebox" sinc
Gaurav Kansal wrote:
>
> Somewhere I heard that one of the Root Servers allows you to take a zone
> copy of that, so that if you want to look and feel about Root DNS
> servers, you can do so.
>
> Is it true? If yes then can anyone please guide me which Root DNS Server
> is allowing for the same?
On 9 Jul 2012, at 20:05, Matthew Pounsett wrote:
> On 2012/07/08, at 22:25, Barry Margolin wrote:
>> In article >>
>>> So to answer my earlier question, what file were you talking about copying
>>> into the chroot environment for BIND?
>>
>> The shared library. When you link dynamically, all th
On 20 Jul 2012, at 21:40, Active Venture - Tom wrote:
>
> 20-Jul-2012 15:26:40.181 config: error:
> /var/named/etc/namedb/conf/zone_0.conf:1529: zone 'x.net': already exists
> previous definition: /var/named/etc/namedb/conf/zone_0.conf:1529
> 20-Jul-2012 15:26:46.270 general: error: reloadi
Frantisek Hanzlik wrote:
> ; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> @localhost -t MX br.ds.mfcr.cz
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43325
> Problem will be perhaps something with DNSSEC. What is interesting,
> BIND v9.9.1, essentially with the same configuration
> qu
On 3 Aug 2012, at 02:25, "Marco Davids (SIDN)" wrote:
> Dig 9.9.1 is setting the AD-bit in queries by default.
> Does anyone know why?
It means "I want the results of DNSSEC validation but not all the RRSIG and
NSEC records I would get from DO=1."
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Playing around with dnssec-verify:
$ dig axfr dotat.at | dnssec-verify -o dotat.at /dev/stdin
Loading zone 'dotat.at' from file '/dev/stdin'
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
Is automatic signing with ECDSA supposed to work yet? I ran:
$ dnssec-keygen -a ECDSAP256SHA256 -f KSK fanf2.ucam.org
Generating key pair.
Kfanf2.ucam.org.+013+03356
$ dnssec-keygen -a ECDSAP256SHA256 fanf2.ucam.org
Generating key pair.
Kfanf2.ucam.org.+013+63927
$ chmod g+r K*
$ rndc loadkeys fa
Tony Finch wrote:
> 15-Aug-2012 19:56:31.969 general: error: zone fanf2.ucam.org/IN:
> update_sigs:add_sigs -> sign failure
This turned out to be because /dev/random inside my chroot was set up
incorrectly. FreeBSD has a somewhat unusual way of dealing with device
nod
sth...@nethelp.no wrote:
> > I have since learned that you get different version output from dig,
> > named -v, and a dns query and the version statement only affects
> > specific outputs.
>
> What is the difference between using dig and a DNS query?
Dig reports its own version number in the com
fddi wrote:
>
> Is there another way I could achieve this ?
BIND's RPZ (response policy zone) feature supports many kinds of evil.
http://www.isc.org/community/blog/201007/taking-back-dns-0
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasi
Timothe Litt wrote:
>
> Until someone authoritative tells me that BIND manages the hints file on its
> own, I'm taking the conservative route and letting my tool run
> BTW, I do have systems that come on-line every 5 years or so. Automation is
> good :-)
Well, I'm not authoritative, but I do
Lightner, Jeff wrote:
>
> For example from my workstation if I search an internal domain we use I
> know which internal DNS server it goes to ask the question. That DNS
> server in turn may refer to a separate internal DNS server which is
> authoritative for the domain or has the record cached.
Why does named complain in this manner? I noticed this when wondering
about validating stub resolvers which might query for DNSKEY and DS
records without knowing where zone cuts are in order to reduce latency.
03-Oct-2012 17:44:47.571 resolver: notice:
DNS format error from 212.72.49.3#53
Mark Andrews wrote:
> > Why does named complain in this manner?
>
> It's fallout from the type code roll from KEY to DNSKEY. KEY can
> exist beside CNAME so the CNAME is not followed for KEY, the same
> is not supposed to be true for DNSKEY. I'll open a bug ticket for
> this.
Thanks!
Tony.
--
Havard Eidnes wrote:
> So I'm sitting here scrathing my head even more confused than
> usual. Anyone have any insights?
The SOA has the wrong owner name. Bind followed a referral for
map.media6degrees.com but the SOA wrongly says the zone apex is
media6degrees.com.
https://lists.isc.org/piperm
babu dheen wrote:
>
> All users in our company using internal DNS server for name resolution.
> All internal DNS server are pointed to our gateway recursive BIND name
> server which is responsible for getting DNS queries from authoritative
> internet DNS server.
>
> Now we would like to configure
Alan Clegg wrote:
>
> This message was added by general recognition that being able to rebuild
> a "drop-in" binary for BIND when you didn't have access to the build
> directory (where the config.log contains the information) was a good
> thing.
>
> I, for one, see no reason to suppress this messa
M. Meadows wrote:
>
> Does anyone know why dig brownmackie.com +nssearch only returns 5 auth
> nameserver soa records? A check of whois shows they have 7 auth
> nameservers.
Two of them do not respond to queries for brownmackie.com.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromar
Phil Mayers wrote:
>
> No. Zone cuts can be at any label inside a zone.
Provided "inside" does not include the zone apex :-)
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, r
Feng He wrote:
>
> Take a look at:
> http://www.dnssec.lk/docs/DNSSEC_in_6_minutes.pdf
I recommend using "auto-dnssec maintain" so named keeps the zone signed,
instead of dnssec-signzone.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasion
Peter Andreev wrote:
>
> We signed another zone and met the same problem again. The only
> difference is algorithm - now it is RSASHA256.
>
> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
> > Recently we realised th
King, Harold Clyde (Hal) wrote:
> I'm a bit confused by a user request. I think he is trying to keep some
> hosts on the private side of DNS, but he wants to use a DNS name like
> host.sub.local. I do not know of the use of the .local TLD except in
> bonjure. Can anyone shed some light on the use
Matus UHLAR - fantomas wrote:
>
> I know. But there are cases you just have much of data in the DNS and what I
> am asking is, if BIND really does skip authority section, if it helps to
> avoid sending truncated packets.
Yes it does. For example, have a look at responses to queries for dotat.at
i
Matus UHLAR - fantomas wrote:
>
> Nice to see. I'm seeing recommendations to set minimal-responses to avoid
> truncation problem anywhere and I'd like to have documented somewhere that
> it just won't help...
It will reduce the likelihood of a fragmented response and therefore poor
interactions w
Mark Andrews wrote:
> In message <20121205125024.gc11...@fantomas.sk>, Matus UHLAR - fantomas
> writes:
> >
> > I'm curious if there's any case where the AUTHORITY section is needed to
> > proper function of DNS.
>
> Yes. Referrals.
And, (to a lesser extent) negative answers, since the negative
I have had a few instances recently when named has failed to re-open its
TCP listening socket after a restart. This is particularly likely if I
try to bounce it quickly with a command line like
# rndc stop; /etc/rc.d/rc.named start
The servers in question are recursive (apart from a few local zon
Mark Andrews wrote:
>
> You need to wait for named to stop
>
> p=`rndc stop -p | awk '{print $2}'`
> while kill -0 $p
> do
> sleep 1
> done
> /etc/rc.d/rc.named start
Thanks.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6
Chris Thompson wrote:
>
> One slight niggling disadvantage is that you can't tell
> named-checkzone / named-compilezone with the -j option where
> to find the journal is it isn't in the default location.
I submited a patch to add a -J option which addresses this problem.
(RT #30958)
Tony.
--
f.
Matus UHLAR - fantomas wrote:
> On 16.01.13 14:57, Baird, Josh wrote:
> > Is it acceptable to have a wildcard CNAME? Example:
> >
> > * IN CNAMEsomewhere.com.
> >
> > Or, would it be advised to only use wildcard 'A' records?
>
> while it is technically valid,
Brian Kroth wrote:
>
> > RFC 4035 sec 2.2 says
> >
> > There MUST be an RRSIG for each RRset using at least one DNSKEY of
> > each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
> > itself MUST be signed by each algorithm appearing in the DS RRset
> > located at the delegating par
Brian Kroth wrote:
>
> For instance, suppose I did the following:
>
> - gen new algorithm keys and sign with them
> - wait for some period then publish the new DS (old DS remains)
> - revoke the old algorithm KSK (leave the ZSK alone), which changes its DS
> fingerprint, so publish a new DS
It
Jan-Piet Mens wrote:
>
> I'm seeing quite a number of messages like
>
> xfer-out: debug 3: client 192.168.1.2#54688 (example.com): zone
> transfer setup failed
>From the source it looks like it will always precede this message with
another log line stating the reason. There are lots of p
Jan-Piet Mens wrote:
>
> On Fri Jan 25 2013 at 13:45:58 CET, Ben Croswell wrote:
> > A common issue is the secondary not being allowed to query the master for
> > the SOA of the zone. Ensure the master has an allow-query that includes the
> > secondary.
>
> The BIND slave can query the PowerDNS m
ip admin wrote:
>
> Any idea why the wildcard matching is affected by the individual
> levels/labels of
> hello.test.com?
See RFC 4592 "The Role of Wildcards in the Domain Name System", section
2.2 "Existence Rules" and especially 2.2.2 "Empty Non-terminals":
2.2. Existence Rules
The notio
Evan Hunt wrote:
>
> Also, generate a TSIG key to use for the initial TKEY negotiation.
I thought the point of TKEY was to upgrade from slow public key
authentication to fast secret key authentication, i.e. that you would
start off by authenticating the client with SIG(0).
Tony.
--
f.anthony.n.
Jim Pazarena wrote:
>
> while it can resolve "webmail.acrodex.com" ( 139.142.184.10 )
> it cannot reverse resolve 139.142.184.10
They are using classless reverse DNS, which is fine except that the
nameservers for the target zone are very broken.
10.184.142.139.in-addr.arpa. CNAME 10.0-25.184.142
Nick Urbanik wrote:
>
> I think that it is not necessarily always true that you should avoid a
> load balancer. Every day, our DNS caches are answering about 140,000
> queries per second. I think that it is rather hard to configure
> resolvers to query only three machines yet still meet the dema
Christian Tardif wrote:
>
> Back to a DNS problem, I came back to this thread. If I do a "dig +norec", I
> still don't get the final answer but then, I get a whole bunch of information
> (the NS records for the requested zone, and the A records relativey to these
> NS records)
That means the loc
Robert Moskowitz wrote:
> On 02/14/2013 09:05 AM, Warren Kumari wrote:
> > BIND now comes with a baked in roots file (in the imaginatively named
> > lib/dns/rootns.c )
>
> Not (at least by that name) in the Redhat/Centos 6.3 bind 9.8.2.
That is a source file name which is compiled into the binary
Robert Moskowitz wrote:
>
> Which begs the next question I was going to ask. How often should I download
> a fresh named.zone?
Never. If you keep BIND reasonably up-to-date its built-in hints will work
fine.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southe
Robert Moskowitz wrote:
>
> More records 1/3/2013 than in the named.ca stub which IF my version has
> it builtin raises the question about keeping current at this time in the
> Internet (and trusting Redhat to roll in new builtin hints as they go).
No need to worry. They are only hints, and
David Sherman wrote:
>
> If dynamic signing is used with BIND 9.8, what is the recommended
> procedure to switch from NSEC3-signed zone to NSEC-signed without
> changing existing DNSKEYs (currently RSA/SHA-512 algorithms are used for
> both ZSK and KSK)? Any specific options for dnssec-signzone?
Robert Moskowitz wrote:
> I have been getting this warning, and wonder why?
> I have read:
https://kb.isc.org/article/AA-00804/0/Why-does-named-log-an-error-disabling-RFC-1918-empty-zones-when-starting-up.html
named logs the message if there are any RFC 1918 zones that ought to be
configured but
Vernon Schryver wrote:
>
> How does a secondary authoritative DNS server fail to support DNSSEC?
A security-aware authoritative server has to support:
* EDNS0 and DO
* RRSIG records alongside the RRsets they cover in responses
* Special logic for DS in parent zones
* NSEC or NSEC3 in negative an
Robert Moskowitz wrote:
>
> One of my secondaries, though, does not support DNSSEC and it is the one that
> gives me a bit of geographical diversity. So I am looking for someplace that
> will accept my smallish domains.
Have a look at https://web.gratisdns.dk - Danish only, but that's not too
mu
Robert Moskowitz wrote:
>
> Right now I use Network Solutions as my registrar. Just never changes as they
> were the only show in town back then.
>
> But they don't seem to support DNSSEC protected domains, and even IPv6 glue
> records are special requests, it seems.
Have a look at http://wiki.g
Lyle Giese wrote:
>
> Recently I moved this domain(lcrcomputer.net) to a registrar that suports
> DNSSEC and inserted the DS record for this domain.
Was it signed before this point? I am wondering if this is a DNS response
size problem - was the cause the addition of the DS record, or the
additio
On 19 Feb 2013, at 08:06, Doug Barton wrote:
> GoDaddy supports everything you're looking for.
Though you might prefer to use a less repulsive provider.
http://kottke.org/11/12/the-internets-go-daddy-issues
Tony.
--
f.anthony.n.finchhttp://dotat.at/
___
Jsilliman wrote:
> The serial number gets updated in the logs, but not when I do a dig.
> (21 vs 3-old)
Did you dig @localhost or is dig querying some recursive server elsewhere?
What does /etc/resolv.conf contain?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering
Mesut GULNAZ wrote:
> when i query bind for www.google.com from a PC from my network
> bind response me with www.google.com.localdomain.com
> with no result
Sounds like you have a wildcard in your local domain and the
resolver search path includes your local domain.
Tony.
--
f.anthony.n.finch
Robert Moskowitz wrote:
> Feb 28 12:14:16 klovia named[22332]: validating @0xb421ba30: htt SOA: got
> insecure response; parent indicates it should be secure
I think this suggests that one of the servers for htt doesn't have the
signed version.
Another reason not to use made-up domain names:
Robert Moskowitz wrote:
> I got tipped off about this from logwatch report. On my public DNS server had
> the following:
>
> Feb 26 04:02:04 onlo named[19336]: validating @0xb2929ee0: in-addr.arpa SOA:
> got insecure response; parent indicates it should be secure
Looks like something in your s
King, Harold Clyde (Hal) wrote:
> Is there an option for bind like the allow-recursion { }
> For blocking out going records of 10.0.0.0/8 and 192.168.0.0/16 so I could do
> a view like:
I'm not sure what you mean by "blocking out going records" but there are a
couple of options that might do w
Spumonti Spumonti wrote:
> Are there relatively recent instructions on how to build BIND from
> source and run it in a chroot environment? It sounds obvious but
> everything I've come across assumes BIND is provided by some package
> manager or included with the operating system. I'd like to buil
In response to ICANN's consultation on DNSSEC root key rollovers
http://www.icann.org/en/news/public-comment/root-zone-consultation-08mar13-en.htm
I was wondering how to check that a rollover is progressing OK. BIND
doesn't provide much help with this (unless I have missed something) so I
thought i
Abdellatif ... wrote:
>
> It doesn't seem to use the cache, here is the call of dig mail.com :
If you dig it twice do you get a faster response?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or
Matus UHLAR - fantomas wrote:
>
> this is clearly a cached answer (aa flag is missing). How did you come to
> the conclusion that caching does not work?
It's probably a cached answer from one of the forwarders. The response
time from the server was too long for it to be locally cached.
Tony.
--
Wang, Yu wrote:
>
> I am in the process of preparing bind upgrade from 9.7.7 to 9.9.2-p2. I
> am reading release notes from 9.8.0 up to see if there are new
> things/features that might cause issues. I would welcome and appreciate
> advice on precautions I should take before, during, and after upg
1 - 100 of 1038 matches
Mail list logo
