Thanks I'll try that.
-Original Message-
From: Evan Hunt
Sent: Thursday, March 6, 2025 1:46 PM
To: Chris Isaksen
Cc: bind-users@lists.isc.org
Subject: Re: Questions about "dnssec validation" statement
On Thu, Mar 06, 2025 at 12:56:08PM +, Chris Isaksen wrote:
>
I was wondering if dnssec validation could be set to auto in the options
section and then set it to 'no' in a particular zone?
We would like to use "dnssec validation auto" but a few forwarding zones we
have, we know do not use dnssec and queries fail if it's not se
I haven't tried anything yet as I wanted to make sure I didn't break anything.
I can add the validation no to the zone and named-checkconf and see if it will
take it. I'll have to wait until after hours to try it.
Thanks
From: Evan McKinney
Sent: Thursday, March 6, 2025 8:
g 'A' record -
conflict with CNAME?
www TXT "v=spf1 -all"
; working without a problem.
@ TXT "v=spf1 -all"
--
Chris.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC fund
is full.
BIND stats reports two counters, dnstapSuccess and dnstapDropped. It appears
that the dropped counter is incremented for either failure condition.
Regards,
Chris
> On Nov 18, 2021, at 9:50 PM, Carsten Strotmann wrote:
>
> Hi,
>
> how can a BIND 9 operator detect an
I honestly don’t remember the reasoning, only the outcome. Maybe Mark or
someone else from ISC can shed some light? I couldn’t find the answer to this
regular (but infrequent) question in the ISC KB.
Regards,
Chris Buxton
> On Aug 30, 2021, at 3:40 PM, raf via bind-users
> wrote:
>
What algorithm(s) are you using for ZSK and KSK? If they’re not the same
algorithm, then both will be used to sign the entire zone.
Regards,
Chris Buxton
> On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users
> wrote:
>
> Signed PGP part
> I've had an issue
configure it.
Regards,
Chris Buxton
> On Aug 26, 2021, at 7:32 AM, Magnus Holmgren
> wrote:
>
> When using GSS-TSIG, nsupdate (with the -g flag) always forms the SPN from the
> master server specified in the SOA record, rather than the server specified
> with the server comma
them, or perhaps live with the log
messages from that public view. Perhaps your SIEM (if you use one) could split
the data based on the view name in the log messages.
Regards,
Chris Buxton
> On Aug 24, 2021, at 7:44 AM, Gaurav Kansal wrote:
>
> Hi Ged,
>
> Actually recursion is o
devices register themselves, they might get
decommissioned. Perhaps much later, but eventually upgrades happen and needs
change. How are you cleaning up the stale records? Your DHCP server will do
that for you, for DHCP clients.
Regards,
Chris Buxton
> On Aug 5, 2021, at 9:19 AM, Roberto Ca
From: bind-users on behalf of Ondřej Surý
Sent: Wednesday, January 27, 2021 8:29 AM
To: Greg Donohoe
Cc: bind-users@lists.isc.org
Subject: Re: Reverse zone reformatting after nsupdate execution
You might want to change `masterfile-style` configuration option
y; };
zone "x.y.zzz" {
type static-stub;
server-names {
"10.n.n.n";
"10.n.n.m";
};
};
};
This ALWAYS gives a SERVFAIL though regardless of whether the 10.n.n.n
addresses are reachable or not...
So I have something that works, although it
Hi Ondřej
That could work for eliminating the caching delay when the VPN comes up.
I'd just have to get that into the VPN config so people didn't have to
do it manually.
Is there any way to stop the recursion for that domain happening in the
first place though?
Thanks, Chris
rce a SERVFAIL when the specified servers for
that domain are unreachable, rather than recursing. And presumably that
would then cause the queries to quickly flow to the required servers
once they are reachable again. Is that possible, or is there another
approach to this problem?
Many thanks,
al forwarding for the subzones also, pointing to the forwarders.
Without the delegation, the conditional forwarding won't work -- the MS DNS
servers will respond authoritatively. But without the conditional forwarding,
the MS DNS servers will send iterati
Does anyone know of a good log file reference for each of the logs bind
produces? Specifically the log format (columns etc) and the meaning of each
log type and messages?
Thanks
Confidentiality Notice
This email including all attachments is confidential and intended solely for
the use of
/bind-users/2019-June/101930.html
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/lis
3.74] which doesn't have this server
cookie problem.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
reached?
It may be that the behavior you're expecting is more in line with type
"static-stub" than with type "stub".
Regards,
Chris Buxton
> On May 7, 2019, at 4:08 PM, Ben Lavender wrote:
>
> Hi,
>
> I've been trying to configure a stub zone u
this was a reasonable use of "invalid", and consistent with
the remarks in section 6.4 of RFC 6761 (also dating from 2013, incidentally).
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-u
of stub zones assumes that an SOA query will
retrieve all of the required information (SOA, NS, and supporting A/
records) to successfully insert the zone apex into the cache.
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/
me limitations/quirks that
> occasionally require you to manually delete your jnl file (and of course
> force a AXFR-style IXFR transfer in these situations).
That makes sense, since presumably the journal could only be generated during
execution of "rndc reload" or "rndc reload
for these negative responses in Cache, or
could there really be that many objects in the cache ?
Assuming these were output as uint64_t but then reinterpreting them as
int64_t, they are very *small* negative numbers, -57 and -9 respectively.
I suspect something other than overflow is responsible.
e.g. for the www.[zonename] RRs
in different zones), because the full owner name is included in the
hashing input.
(Use a different Key)
Yes. Because there are no advantages whatsoever in doing otherwise!
--
Chris Thompson
Email: c...@cam.ac.uk
__
.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain
Assuming that you are running name server software that actually allows
you to have several CNAMEs with the same label, of course.
BIND8 with "multiple-cnames yes", perhaps? :-)
approach is to do a dig
axfr to get the actual zone...
If you do need to work from the zone files, I would strongly recommend
normalising them with "name-checkzone -o outfile zonename infile" or
an equivalent, before trying to unpick them with "Perl, awk, etc".
--
Chr
case, tell us what your use case is in more detail and
perhaps the list can help.
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://li
e use case. But the most common use of such queries
is to conduct an amplification attack.
What are the apparent source addresses of these queries? Are they consistent?
If so, that would point to the target of such an attack, not the source.
Chris Buxton
rpa/dnssec/
Thanks for the heads up - I'll make sure our Ops team is aware.
To further increase our Schadenfreude, please do let the list know just
how ISC managed to let that happen! Or will you be able to blame ARIN?
--
Chris Thompson
Email:
Thanks Matus,
The below tips fixed things ;). I did make a mistake on the zone entry.
Best Regards,
Chris W.
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Matus UHLAR - fantomas
Sent: Wednesday, March 14, 2018 7:53 AM
To: bind-users
al reverse
zone as well, feel free to let me know.
Any insight would be greatly appreciated Thanks a bunch in advance.
Best Regards,
Chris W.
I am posting my configuration just in case:
named.conf:
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
product to do what you’ve described.
BIND on Linux will do everything you’ve described, if properly set up. You
could set up some simple scripting to give you secure DDNS so that you can
update the data from anywhere.
I hope that helps.
Chris Buxton
Sent from my iPhone
> On Mar 6, 2018, at 10
do the same job. The
use case you describe cannot be solved by RFC-compliant DNS -- the name of a
zone cannot be an alias of some other name. Creating the parent zone and
putting the CNAME in there will create more problems for you.
Regards,
Chris Buxton
> On Nov 17, 2017, at 9:19 AM, Jef
Thanks for the response, Tony. Responses in-line.
On May 30, 2017, at 5:51 AM, Tony Finch wrote:
> Chris Buxton wrote:
>
>> dns_master_load: example.com.dns:6785: bad escape
>> dns_master_load: example.com.dns:6789: bad escape
>>
>> mhtswfw-dellfi01\342\
reach the person managing the list at
bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Weird issue with bind & router (Chris Serella)
2. Re: Weird iss
I run a small dev system on my home network, housing dns etc all under the one
server.
System: ubuntu16.04 server, ispconfig etc etc etc, you get the idea.
Anyway, the problem i am having comes down to the router rebooting (is it
crashing? I cant tell) every time bind starts/restarts. This ordi
I would have expected that
'-i none' would have allowed it to skip these errors. but it doesn't.
Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
g forward to the time when BIND,
inter alia, supports them...
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.
d have a work-around for the zone apex (example.com
itself), such as a simple webserver (right on each GSLB, perhaps) that takes
those web requests and redirects them to www.example.com. Then in your main
zone (not on the GSLB), you would have a record set pointing that zone
m/> should be
blocked, but that specific names (e.g. w.blogspot.com <http://w.blogspot.com/>)
should be whitelisted. Read the BIND v9 ARM for details on how to accomplish
this.
Regards,
Chris Buxton___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Funny email address.
I could be wrong, but it looks like you might have a firewall problem. The one
really slow response is the one over 512 bytes. Is it possible you have a
firewall that examines the contents of DNS messages?
Regards,
Chris
Sent from my iPhone
> On Sep 21, 2016, at 12:34
Try it without "+trace".
Regards,
Chris
> On Aug 17, 2016, at 2:59 AM, anup albal wrote:
>
> Hi
>
> First up apologies if this is not the right list to email and for a long
> email. I am hoping you can give me a clue as to what I am doing wrong here?
> Or may
more systems to check and more ways for things to go wrong.
Regards,
Chris
Sent from my iPhone
> On Aug 12, 2016, at 5:11 PM, Darcy Kevin (FCA)
> wrote:
>
> True, strictly from a per-hop latency standpoint, there shouldn't be much
> difference between forwarding
I use Bind as a local caching nameserver at my house mainly to speed up
spamassassin queries. Until I upgraded my Ubuntu 14.04 to 16.04 last
week all was working great. After the upgrade bind has been filling up
my syslog with the above error. Running 'named -V' outputs:
chris@localhos
Absolutely agreed.
Regards,
Chris
Sent from my iPhone
> On Jul 28, 2016, at 12:40 PM, Darcy Kevin (FCA)
> wrote:
>
> Yes, I did misread the original post; thanks for clarifying.
>
> But, the gist of the question seemed to be about mitigating the effects of
> cac
.
BlueCat
Men & Mice
Infoblox
EfficientIP
Vital QIP
DiamondIP
I'm sure there are more that I'm forgetting.
Please note: I am a current and former employee of two of these vendors.
Regards,
Chris
Sent from my iPhone
> On Jul 25, 2016, at 2:36 PM, Kirk wrote:
>
> I have be
The OP's question was about setting up BIND, not MS DNS, related to using
Samba, not Windows, as the domain controller.
Regards,
Chris
Sent from my iPhone
> On Jul 27, 2016, at 12:36 PM, Darcy Kevin (FCA)
> wrote:
>
> My preference? Have all your clients use BIND to resolv
#x27;t have those two servers in resolv.conf. Aim for a consistent (and
consistently useful) result.
Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lis
"Re: [the subject format for the list's
digest messages]". Maybe a scan of the message content for a copy of
the digest prologue would be a good idea as well.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.
/pipermail/dns-operations/2016-April/014765.html
which is fairly tight-lipped!
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
g glue records. This data is not authoritative, and I have
seen it outranked by cached data. That can lead to odd failures, especially if
the querier is denied access to the cache.
Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-
target for dynamic updates and is therefore fairly important; even
a few minutes of downtime of this server might cause outages for DHCP service,
for example. There are several commercial offerings that include this sort of
HA. I work for one of these vendors, Blue
he notify mechanism is working properly. Is that
perhaps what you meant?
Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
me
/usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart|reload}"
exit 1
esac
exit 0
On Wed, Dec 2, 2015 at 9:54 PM, Tony Finch wrote:
> chris liesfield wrote:
> >
> &g
.conf below:-
// SRO BIND configuration file
// ... some name server ...
// Written chapter and verse on 20130325 by Chris Liesfield
// Last modified 201511271436 by Chris Liesfield
options {
directory "/var/named";
pid-file "named.pid";
allow-query { "any"
g the neophytes.
I will be reading the IETF terminology draft closely. Thanks for pointing it
out.
Regards,
Chris
> On Nov 19, 2015, at 1:11 PM, Darcy Kevin (FCA)
> wrote:
>
> Chris,
> The terms "iterative resolution" and "recursive resolution" appear to
with
my usage of the phrase “recursive resolution". I can also find “recursion”,
again matching my usage. The phrase “iterative service” in the RFC describes
the way a server handles a query if recursion is either not available or not
desired.
Regards,
Chris
ost common offenders in my experience.
Regards,
Chris Buxton
Sent from my iPhone
> On Nov 13, 2015, at 10:12 PM, Lawrence K. Chen, P.Eng. wrote:
>
> So, the last couple of days I've been banging my head on this problem
>
> Where I'm seeing this strangeness.
>
&g
On Oct 5, 2015, at 11:51 PM, Harshith Mulky wrote:
> Let us say we are having a FQDN and we need to Resolve it. It goes through
> the procedure of determining the IP and Port using NAPTR/SRV/A query
> mechanisms
>
> The question I have is if I have a FQDN with a Port Number already
> determine
hen responding negatively, the authoritative server
uses the negative caching TTL (the Minimum field) as the TTL of the SOA record
in the authority section.
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this li
aching
TTL. And no RFC has ever updated its name.
Chris Buxton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
copy exactly from the
query, and the owner field used in the answer section, which recent
versions of BIND make the same as that loaded from zone file (when
authoritative), or as received from an authoritative nameserver (when
from the cache).
--
Chris Thompson
Email: c...@cam.
ne is described.
Would this actually break a validating resolver with a locally defined
(unsigned) empty zone 2.0.192.IN-ADDR.ARPA ? The parent zone can produce
a proof that there is no signed delegation, but only by revealing the
signed DNAME.
--
Chris Thompson
Email: c...@cam.
Ls so that they will remain cached.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailma
On May 14 2015, I wrote:
Now that RFCs 7434 & 7435 have been published, how do ISC see the future ...
That should be 7_5_34 & 7_5_35 of course. Curses.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org
the public DNS acquire DNAMEs pointing to that (hopefully ones
with large TTLs).
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-u
rd to the loopback address, which doesn't match the new view's
match-clients ACL.
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
8.247.135#53
Do I have something in my setup incorrect?
Thanks for any advice
Chris
--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
08:26:07 up 1 day, 11:08, 1 user, load average: 0.22, 0.24, 0.25
Ubuntu 14.04.2 LTS, kernel 4.0.0-997
so set it to '::1'. Or whatever makes sense to
you.
The 'address' line sets the local address for the interface, on the server
itself.
Good luck. The following may also be of some help:
https://help.ubuntu.com/community/BIND9ServerHowto
Regards,
Chris
> On Mar 31, 2015,
ter file has been updated. (Of course, as Phil Mayers
points out, this would cause downstream IXFRs to become AXFRs,)
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
nstance using two
views, with forwarding from one view to the other.
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
triggered, the escape characters are being added to the entry on the slave zone
automatically. Why is this happening and how do I stop it?
Chris Vaughan | Communications Officer, ICT
Land and Property Information | Level 5, 1 Prince Albert Road Queens Square NSW
2000
e: chris.vaug...@lpi.nsw.gov.au
.\; aspf=s\; rf=afrf\; sp=reject"
Chris Vaughan | Communications Officer, ICT
Land and Property Information | Level 5, 1 Prince Albert Road Queens Square NSW
2000
e: chris.vaug...@lpi.nsw.gov.au | t: 02 92286884 | m: 0401 148061 | f: 02
92231271 | http://www.services.nsw.gov.au I http:
ike you might want different addresses in the additional section of
the response depending on whether the request for for an A record or a
record. If so, that's not possible.
Regards,
Chris
___
Please visit https://lists.isc.org/mailman/
ally identical to type static-stub, except it sends
recursive queries instead of iterative queries. This is generally bad practice
(it might work fine, or it might have unintended consequences or otherwise
fail, in a hard-to-diagnose way) unless the forwarder accepts recursive
queries. So type static
I suspect a static-stub zone is more what you want, but yes, that sounds like
it should work.
Chris
> On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote:
>
>> On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote:
>>>
>>> I am going to be adding a type forward zone for
be receiving recursive or iterative queries (rd=1 or rd=0) for
the zone? Forwarding zones like this don't work for iterative queries.
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-u
(Almost) no-one uses HINFO for its original purpose anywhere in
the DNS.
and I think I might get away with it.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bin
l, it served me right when we later had to put an A record (sorts before
HINFO) at the apex of cam.ac.uk and I had to modify our normalised-zone-file-
comparsion program to allow for that!
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://
something is in the
public DNS at all, it ought to be signed. But our tribulations
summarised above (and believe me, I could go on about it at *much*
greater length! you should be grateful) have occasionally made me
regret that.
--
Chris Thompson
Email: c...@cam.ac.uk
__
know about lbtest.isnlab.in,
You are always going to get inconsistent results until you fix the
delegation.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users ma
xpedites what would normally happen
when the refresh interval expires. That is, it will do an SOA query
against the master(s), and if the serial has increased attempt an
(if possible incremental) zone transfer.
--
Chris Thompson
Email: c...@cam.ac.uk
___
delegation, but each office has its own zone. Everyone is
happy.
Chris
On Apr 30, 2014, at 4:36 PM, Jeronimo L. Cabral wrote:
> DNS1 with dynamic update and DNS2 with manually update
>
>
> On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy wrote:
> I'm still not understanding
nd anycast support out of
the box, just as others have hinted in this thread. And unlike some of our
competitors, we do allow ssh access if you need it.
Best regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscrib
would vote for 'dq' (as in, DNS query)
which has the virtue of not matching anything in the Ubuntu "did you
mean?" database.
Oh please, not another two-letter command for the benefit only of the
digit-ally challenged...
Not to mention what http://en.wikipedia.org/wiki/DQ has t
solv.conf (if any).
The search list is not used by default.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
b zones where
appropriate.
Then you have to maintain your masters statements as those zones move around.
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
e sure your old nameservers stop serving the
zone, or at least serve a version with the new NS records in"
situation. but the (highly anti-social, by the way) behaviour
of these nameservers makes that impossible to arrange.
--
Chris Thompson
Email: c...@cam.ac.uk
_
for .net?
No, they are authoritative for udrtld.net, self-consistently claiming
themselves as the only NS records for it.
This looks like a simple case of a change of nameservers for a zone not
propagating too well, because the old ones haven't stopped serving it.
--
Chris
not a bug. It is mandated by RFC 5155 - see
section 4.1.2.
This was really nic.at (and not example.com), wasn't it? Your domain
obfustication was half-hearted! I tried looking at it, but things
were changing too fast for me to get consistent results...
--
Chris Thompson
Email: c...@cam.
On Mar 21 2014, SM wrote:
Hi Chris,
At 11:18 21-03-2014, Chris Thompson wrote:
We used to create lots of localhost.[subdomain].cam.ac.uk records, even
to the extent of adding an record just for those institutions that
had IPv6 enabled on their networks. But we have pretty much given up
alhost.cam.ac.uk itself, to terminate the probable iteration described
above before it goes any further.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind
;t believe it works with update forwarding. I've certainly never gotten it
to work. However, Microsoft will send the updates tot he master listed in the
SOA record, so as long as that shows your otherwise-hidden master, and firewall
access is set up for it, everything should work fine.
Rega
oesn't support
TSIG, just GSS-TSIG.
AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on the
master.
Regards,
Chris Buxton.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
uestion, for the names of your A records. I don't know why
a mail server would complain about this, but perhaps others with recent mail
server admin experience can comment here.
Regards,
Chris Buxton
___
Please visit https://lists.isc.org/mailman/li
therwise.
I think I am going to have to retreat hurt from this attempt to use
inline signing, and find some other way of achieving what I want.
--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bin
On Feb 19 2014, Alan Clegg wrote:
On 2/19/14, 8:59 PM, Chris Thompson wrote:
What is the right way ... or maybe I should be asking IS there a right
way ... to change a zone that has been signed by inline signing (i.e. with
"inline-signing yes; auto-dnssec maintain;" in it zone sta
ed normally first. It does not short-circuit recursion.
Chris Buxton
> From: bind-users-bounces+jason.brown=kcom@lists.isc.org
> [mailto:bind-users-bounces+jason.brown=kcom@lists.isc.org] On Behalf Of
> Ivo
> Sent: 28 February 2014 10:10
> To: bind-users@lists.isc.
error: zone playground.test/IN:
not loaded due to errors.
and the zone goes into SERVFAIL state.
The only way I found out of this was to remove the [zone-file].signed
and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
Surely there must be something bette
It's not often mentioned, incidentally, that using more iterations increases
the probability of a collision. Of course, it's pretty damn small to begin
with, so that doesn't really matter. But the algorithm, described in RFC 5155
section 5, could have been better designed
1 - 100 of 831 matches
Mail list logo
