[ off list ]
> I couldn't help noticing that when you ran dnssec-dsfromkey you
> referenced this directory: /usr/home/dns/Fixed
nah. i have multiple copies so i can `rsync` them to refresh.
i am getting closer. as mark pointed in the direction, i found that the
keys produced by the extraction
> You DS and DNSKEY rrset are not matched. You
> need to publish the DS for the DNSKEY with key
> tag 3463.
>
> rg.net. 86256 IN DS 12391 8 2
> 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9
>
> rg.net. 3463 IN DNSKEY 256 3 8 (
> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV
>
FreeBSD 13.2-RELEASE-p10 amd64
bind 9.16.48
softhsm-1.3.8 (yes, i know)
opendnssec 2.1.13
moon in klutz
been running opendnssec, and trying to move to bind inline-signing
in the hope of making it more readable, the sad story is at
https://git.rg.net/randy/randy/src/master/scratch.md
thanks for a
> I admit here we most often work with internal only forwarders, which
> are not accessible from outer internet. So those won't be under attack
i am always impressed by security optiism
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the
have spent a bit searching but no result. so ...
can i use an acl{} or other macro in `also-notify`? i have a bunch of
zones where i want the same `also-notify` list.
thanks
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the developm
> If you have a true duplicate you only need to answer it once otherwise
> you have different clients and you need to answer all of them. Note
> there can be multiple clients on the same address.
i gotta ask.
so, for address foux, how do i know if there is one client or more than
one?
randy
--
> Can you share a bit about why you want to get out of using
> opendnssec/openhsm?
i need bind bitw for other zones. so two methods, one with a lot of
moving parts, ...
> I would regard this as an opportunity to test key rollover with your
> parent zone :-)
i have plenty of bullets and only two
>> is there a known hack to extract keys from opendnssec/openhsm to use for
>> bind bitw inline-signing?
>
> Assuming you mean SoftHSM
sorry, my bad. first cuppa.
> I don't think so, at least not when using its default settings. (That
> is one of the main features of an HSM -- to keep the keys
is there a known hack to extract keys from opendnssec/openhsm to use for
bind bitw inline-signing?
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://ww
hi mark
>> hidden primary can not sign. can the public primary which fetches
>> from it, and happens to be primary for the parent zone, do bitw
>> signing?
>
> In-line signing is the concept you are looking for and yes named
> supports it.
i know bind9 does bitw. happy to learn it is called in
hidden primary can not sign. can the public primary which fetches from
it, and happens to be primary for the parent zone, do bitw signing?
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support
an ancient csh script named `doc` used to be guiltily associated with
bind. i can no longer find it. i have 2.2.3 from 2001.07.25. anyone
know the whereabouts of anything more recent? 2.2.3 has a little bugy
on macos vnetura.
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
>> my guess is that they see dnssec as fragile, have not seen _costly_
>> dns subversion, and measure a dns outages in thousands of dollars a
>> minute.
> No one wants to be this guy:
> http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf
so, to me, a crucial question
> TLD Signed? Comments
> -----
> google.comno
> gmail.com no
> youtube.com no
> apple.com no
> microsoft.com no
> amazon.comno
> walmart.com no
> outlook.com no
> 1e100.net no
> facebook.com no
> twitter.com no
> instagram.com
sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/conta
> for some reason lost in time, i have the following in `/etc/ipfw.rules`
> on a freebsd system running bind9
>
> add allow tcp from any to me 53 limit src-addr 1 setup
> add deny tcp from any to me 53
and now i know why
# lsof -i :53
COMMAND PID USER FD TYPE DEVICE SIZ
for some reason lost in time, i have the following in `/etc/ipfw.rules`
on a freebsd system running bind9
add allow tcp from any to me 53 limit src-addr 1 setup
add deny tcp from any to me 53
the results are
01000 48358531 6390772849 allow tcp from any to me 53 setup limit
src-ad
> Presumably you are running with `named -u`
# grep named /etc/rc.conf
named_enable=YES
named_program=/usr/local/sbin/named
named_conf=/usr/home/dns/named.conf
named_chrootdir=""
named_chroot_autoupdate=NO
named_uid=bind
named_gid=bind
named_wait=YES
named_a
FreeBSD 12.2-RELEASE-p6 GENERIC on amd64
bind 9.16.19 from binary ports
ok, i was quietly waiting for a fix to magically appear and is hasn't.
i am getting 10-20 crashes a day on each of two servers. it is not
leaving disk flowers; and i see no config option to encourage it to do
so.
randy
---
> We have slightly less then 25% for IPv6 queries.
> And about 4-5% TCP queries.
considering we share the load of the same non-trivial signed cctld, i
should be seeing similarly. though i am sure both of us serve a few
more . and tony and hugo (the latter privately) are seeing similar,
though ma
> We run about 300 TLD's on our DNS platform and get roughly 5-10% TCP
> queries.
that is quite a variance
> In comparison, we get about 25-30% IPv6 queries.
wonder how that compares to others
thanks for actual data
randy
___
Please visit https://lis
> ... are there that many folk doing tcp out there?
All name servers fall back to TCP when they receive truncated
replies.
>>>
>>> we know the protocol. [ and we know folk have idiot middleboxen ]
>>>
>>> what i was asking was the distribution of this in the wild
>>
>> one word: D
>> estimate or measure the distribution of the ratio of udp to tcp
>> queries on say 100 cctld servers
>
> bla - 512 bytes are easily exceeded
>
> more than 10 years ago i also thought i am smart and TCP 53 is only
> needed for zone-transfers until i realized that random e-mail errors
> where the
... are there that many folk doing tcp out there?
>>> All name servers fall back to TCP when they receive truncated replies.
>>
>> we know the protocol. [ and we know folk have idiot middleboxen ]
>>
>> what i was asking was the distribution of this in the wild
>
> one word: DNSSEC
i.e. i
>> ... are there that many folk doing tcp out there?
> All name servers fall back to TCP when they receive truncated replies.
we know the protocol. [ and we know folk have idiot middleboxen ]
what i was asking was the distribution of this in the wild.
randy
_
> mdig @147.28.0.39 -f queries.txt
>
> queries.txt contains 40x
> switch.ch A
>
> I would suggest something like this:
>
> rate-limit {
>// start rate-limiting if more then X identical
>// responses per second, default 0 i.e. unlimited
>responses-per-second 25;
>nxdomains-per-sec
[ pulls head out of sand ]
so, i guess there is a named tcp dos going around. using bind9, is
there an amelioration? or am i misconfigured in some way?
randy
Jul 29 14:07:26 rip named[4146]: 29-Jul-2018 14:07:26.428 client: warning:
client 67.205.183.100#60084: no more TCP clients: quota rea
27 matches
Mail list logo
