-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I conducted a DNSSEC tests with Bind 9.8 (also 9.7.3) and Thales nShield
HSM.
Everything compiled fine, I was able to generate keys and list keys on HSM:
# pkcs11-list -p xxx
object[0]: handle 1120 class 3 label[6] 'example-KSK' id[0]
object[1]: han
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-24 17:47, Kalman Feher pisze:
> This appears to be the problem.
> I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could
> not replicate it. Try turning up the logging to get more information about
> why the nsec3param
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-24 14:34, Kalman Feher pisze:
> I assume you did add the nsec3param record via nsupdate after adding the
> zone? I note that there is an NSEC entry there, which is not right.
>
Yes, with nsupdate. and lack of NSEC3PARAM was very odd.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-21 15:17, Kalman Feher pisze:
>> Perhaps we are getting close to the problem then.
>> Can you show the content of the key files? Specifically the metadata which
>> the "maintain" option wants.
>
>> Since "allow" works I'm assuming that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-21 11:23, Kalman Feher pisze:
> The only way I can replicate the behaviour is with dnssec-enable no or with
> an unsigned version of the zone in another view. Assuming you've not
> overlapped your views in such a way (it was a very contr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-19 18:38, Hauke Lampe pisze:
> Another thing you might check:
>
> With "dnssec-enable no;" in named.conf, BIND still does its automatic
> DNSSEC signing but won't add RRSIG to responses.
>
> I ran across such a configuration lately. Y
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-19 14:24, Kalman Feher pisze:
> Try without +short ;)
> I also have the habit of using that and can get caught out. Remember that
> +short only includes the answer, which is not the RRSIG you are hoping to
> see.
>
RRSIG is _the_ answe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-17 15:39, Kalman Feher pisze:
> Have you tried more sane times?
>
> Those don't look like sensible times even for a test, which is probably why
> BIND isn't signing. I think you are below the sensitivity level for BIND to
> sign automat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
I have my test zone example configured with option auto-dnssec maintain;
zone "example" {
type master;
file "var/zone/example";
allow-update { loopback; };
allow-transfer { trusted; loopback; };
auto-d
9 matches
Mail list logo
