Hi,
The timings are based on RFC 7583 and "Flexible and Robust Key Rollover
in DNSSEC". They may help a great deal in understanding the time states.
https://datatracker.ietf.org/doc/html/rfc7583
https://nlnetlabs.nl/downloads/publications/satin2012-Schaeffer.pdf
See below for inline answers.
Have you read:
https://kb.isc.org/docs/dnssec-key-and-signing-policy
and
https://bind9.readthedocs.io/en/latest/dnssec-guide.html
This RFC should give you some background too:
https://datatracker.ietf.org/doc/html/rfc6781
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and yo
Hi,
I'm trying out DNSSEC policy for the first time, and I am so confused about the
time states—how they calculate the time for the state of the records to change.
I really need help because I have a ton of questions (I'm using BIND 9.18.31,
btw). I want to understand how it works step by step,
Hi.
An ACL can match other ACLs, meaning that you can include the name of one
ACL in the definition of another.
Your config is being interpreted as:
acl "tsg_acl" {
Start the definition of an ACL called "tsg_acl", which will be followed by
a list of things to match, each of which must end with a s
Hello,
Functional EDE 22 is available in Bind 9.20.6.
RFC say :
4.23. Extended DNS Error Code 22 - No Reachable Authority
The resolver could not reach any of the authoritative name servers (or
they potentially refused to reply)
Bind does not map a rcode REFUSED to EDE 22 so in your case I don'
Hello,
I was testing / debugging some sub-zone delegation for a friend's domain
(something about email marketing service that want's their clients to
delegate a subzone to their NSs) and couldn't quite see the issue -
apart from my local resolver reporting 'SERVFAIL':
; <<>> DiG 9.18.33 <<>
6 matches
Mail list logo
