error sending response: would block

I recently updated a couple servers that were running OpenBSD 6.3 with bind 9.11.3 to OpenBSD 6.4 and bind 9.11.4pl2. Since then, I'm been getting a large number of "error sending response: would block" log messages: Nov 15 11:03:58 lisa named[79587]: client @0x6f2f02bc440 10.128.30.77#65198 (p64-

RE: problem registering DS records with EDUCAUSE, sanity check please

> From: Stephane Bortzmeyer > Sent: Tuesday, July 15, 2014 12:43 AM > > You can also note that it is quite common to publish DS without any > matching KSK. It is even documented in RFC 6781, section 4.2.4. For an > actual example, see .UK (the yellow > path). Inter

RE: problem registering DS records with EDUCAUSE, sanity check please

> From: Mark Andrews > Sent: Monday, July 14, 2014 6:33 PM > > For a DS to *work* it needs to point to a key that signs the DNSKEY > RRset. Validators check that the signature exists. Activating the > key will add 1 signature to the zone. Let me preface this reply by indicating that I am far fro

Re: problem registering DS records with EDUCAUSE, sanity check please

On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote: > The new key does not sign the DNSKEY RRset. [...] > Make sure the DNSKEY RRset is signed with the new key then try to > add the DS record to the parent. It's intentionally not being used for signing; it's published but not yet activa

RE: problem registering DS records with EDUCAUSE, sanity check please

> From: Stephane Bortzmeyer > Sent: Monday, July 14, 2014 1:43 PM > > > So, I suspect a bug in EDUCAUSE. > > Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU > issue. Cool, thanks for double checking me and a potential problem to look at. Makes me feel a little bit better tha

problem registering DS records with EDUCAUSE, sanity check please

We roll our KSK's for our edu domain annually in July, after which I need to manually go to the EDUCAUSE management site to delete the old DS records for the key no longer in use, and add the new DS records for the key just published and scheduled to be used the following year. This year, after de

Re: dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; ignoring

On 4/25/2013 11:57 AM, Evan Hunt wrote: The warning is spurious and has been fixed in 9.9.3. It was incorrectly checking to see whether there were any DNSKEY records in the zone *before* loading them from the key files. It should have been doing so afterward, obviously. Ah, okay, thanks for

dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY; ignoring

We're upgrading from bind 9.8 to 9.9, and there's a new warning from dnssec-signzone that's confusing me. We are using a locally developed mechanism for signing that predates the auto and in-line signing mechanisms currently available in bind, and run the command like this: dnssec-signzone -d

Re: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success

On Wed, Nov 23, 2011 at 02:02:42PM -0800, Paul B. Henson wrote: > Still seeing these... No ideas anybody :)? > > Looks like they're always paired with an EDNS log line: > > Nov 23 13:35:19 atlas named[28846]: success resolving './DNSKEY' (in > '.'?) a

Re: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success

o DNSKEY RRSIGs found for '.': success On Tue, Nov 22, 2011 at 11:14:08AM -0800, Paul B. Henson wrote: > Yesterday I started getting messages like: > > Nov 22 10:29:01 gemini named[28532]: managed-keys-zone ./IN: No DNSKEY > RRSIGs found for '.': success > > Nov

managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success

he message. Everything still seems to be working fine. Other than upgrading from 9.7.4 to 9.7.4_p1 last week nothing's changed on my side. Any thoughts on what this means and why it just started out of the blue? Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~

Re: dnssec config sanity check

ved quickly is high :). I guess if I missed anything at some point maybe Stephane Bortzmeyer will be contacting me to let me know my dnssec deployment is broken and asking what tool I'm using ;)... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Op

Re: dnssec config sanity check

glue that fits perfectly into our existing deployment rather than try to bend a complicated tool to our will or change our deployment to match its idea of how things should work. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@

Re: dnssec config sanity check

activation, inactivation, and deletion timings, and then use them ;). My hope from my initial posting was to get a little peer review of the appropriateness of the timings I've selected... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Networ

Re: dnssec config sanity check

x27;ll need to tweak the deletion date for the old key to prevent any broken resolvers from failing. The key actually being used has already existed in the parent zone for the last year, so verifying the current signatures shouldn't be an issue even if the registrar flakes out. Thanks...

dnssec config sanity check

atures that will die off in as little as five days. I don't consider that very likely; there are typically updates at least every day or two, and if our master died I'm pretty sure we'd have it fixed within 24 hours. Are there any timing issues or edge cases that I'm mis

Re: "Key : Delaying activation to match the DNSKEY TTL."

some confusion and unnecessary concern. For now, I can just ignore it, thanks again for the clarification of what was going on. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic

Re: "Key : Delaying activation to match the DNSKEY TTL."

sed keys are brought into play. If dnssec-signzone doesn't use the keys that should be active, and there are no updates for a month (which would result in another signing), I'll end up with invalid signatures before the next scheduled key generation :(. -- Paul B. Henson | (909) 979-6

Re: "Key : Delaying activation to match the DNSKEY TTL."

ould have been published for the last month, the second for the last year? Wait, how does dnssec-signzone know whether or not a key has been published or not? I could have created a key 10 seconds ago and set a publication date of last year, and what would distingish that from a key actually created an

"Key : Delaying activation to match the DNSKEY TTL."

re it would be much appreciated, thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 ___ Please

Re: bind 9.7.1 tries to automatically resign non-dynamic zones

ninc, which is resulting in the error messages and failures listed below. None of this seems conditional on the zone in question being dynamic. Anybody have any suggestions on how to make bind stop trying to automatically resign a non-dynamic zone? Thanks... On Sun, 29 Aug 2010, Paul B. Henson wrote

bind 9.7.1 tries to automatically resign non-dynamic zones

en any actual updates that might have been performed). >From reviewing the manual, this behavior should only occur if the zones are dynamic, *and* auto-dnssec in enabled, neither is true. Bug? Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Sys

Re: dnssec-keygen & dnssec-signzone "smart signing" vs time zones

e "TIMING OPTIONS" section? That's the documentation I was reviewing while looking into this. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University

Re: dnssec-keygen & dnssec-signzone "smart signing" vs time zones

and pass that on the command line instead. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 ___ bind-users ma

dnssec-keygen & dnssec-signzone "smart signing" vs time zones

etadata being relative and dnssec-signzone doing different things depending on where it's run, and the headache of not being able to specify times based on your local timezone 8-/. Am I missing something? Thanks for any insight... -- Paul B. Henson | (909) 979-6361 | http://ww

Re: split view dns, with a shared dynamic zone?

that problem. I will give it another try. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 ___ bind-user

Re: split view dns, with a shared dynamic zone?

be nice if you could have both split view zones and standalone zones on the same server. Perhaps a feature request :)? Thanks for the suggestion, I'll play with it and see what happens. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network

Re: split view dns, with a shared dynamic zone?

all. Is there any way to accomplish that? I've reviewed the configuration documentation and searched but haven't found anything helpful. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomo

split view dns, with a shared dynamic zone?

ame master/slaves as everything else) I can't think of a way to implement this. Thanks for any suggestions... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu Californi