Hello all,
first let me thank you for your patience.
On Fri, Jul 11, 2014 at 10:47 AM, Mark Andrews wrote:
>
> In message
>
> , Wolfgang Rosenauer writes:
>> All but one request succeeded:
>> s15418965:~ # dig dnskey org +dnssec @199.19.56.1 +ignore +norec
>>
>> ; <<>> DiG 9.9.4-rpz2.13269.14
In message
, Wolfgang Rosenauer writes:
> On Fri, Jul 11, 2014 at 1:32 AM, Mark Andrews wrote:
> >
> > Then all of the following should succeed. Please let the
> > list know how you go.
> >
> > dig soa . @198.41.0.4 +norec
> > dig soa . @198.41.0.4 +dnssec +norec
On Fri, Jul 11, 2014 at 1:32 AM, Mark Andrews wrote:
>
> Then all of the following should succeed. Please let the
> list know how you go.
>
> dig soa . @198.41.0.4 +norec
> dig soa . @198.41.0.4 +dnssec +norec
> dig dnskey . @198.41.0.4 +dnssec +norec
>
In message
, Wolfgang Rosenauer writes:
> ok, sorry for the confusion but I think what's more relevant is that
>
> s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
> rst.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> "87.106.30.170 DNS
ok, sorry for the confusion but I think what's more relevant is that
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"87.106.30.170 DNS reply size limit is at least 3843 bytes"
"87.106.30.170
Wolfgang Rosenauer wrote:
>
> s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
>
> there is no output at all. Is that also expected and the reason is the
> UDP limitation?
Yes.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Trafalgar: Easterly or northeasterly 5 to 7, decreasing 4 in sou
btw, don't know what that means exactly.
In addition the output above to test the UDP sizes when I do that on
the correct/my bind:
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
there is no output at all. Is that also expected and the reason is the
UDP limitation?
Thanks,
Wolfgang
___
On Thu, Jul 10, 2014 at 4:54 PM, Mark Andrews wrote:
>
> Firstly upgrade. You are out of date.
I currently run a distribution provided version which is pretty new
compared with most published Linux distributions but if it helps I
would do that as well.
> Secondly fix your firewall. You need to
Firstly upgrade. You are out of date.
Secondly fix your firewall. You need to allow through 4K DNS UDP
messages. You need to turn off whatever is blocking the bigger
packets and you also need to allow through fragmented UDP packets.
Mark
In message
, Wolfgang
Rosenauer writes:
> On Thu, Ju
On Thu, Jul 10, 2014 at 4:16 PM, Tony Finch wrote:
>
> Suspicious. What do you get if you run
> dig +short rs.dns-oarc.net txt
s15418965:~ # dig +short rs.dns-oarc.net txt
rst.x479.rs.dns-oarc.net.
rst.x488.x479.rs.dns-oarc.net.
rst.x493.x488.x479.rs.dns-oarc.net.
"2001:8d8:870:1200::53 D
Wolfgang Rosenauer wrote:
>
> first thing:
> 2014-07-10T16:04:56.862405+02:00 s15418965 named[29815]:
> managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': timed out
>
> Eventually the file appeared a bit later with the dlv.isc.org key.
Suspicious. What do you get if you run
dig
On Thu, Jul 10, 2014 at 4:00 PM, Tony Finch wrote:
> Wolfgang Rosenauer wrote:
>
>> Changed it now to dnssec-lookaside auto and it still behaves exactly
>> the same way.
>
> What happens if you delete the managed-keys files and restart?
first thing:
2014-07-10T16:04:56.862405+02:00 s15418965 nam
Wolfgang Rosenauer wrote:
> Changed it now to dnssec-lookaside auto and it still behaves exactly
> the same way.
What happens if you delete the managed-keys files and restart?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
North Utsire, South Utsire, East Forties: Variable, mainly northeasterl
On Thu, Jul 10, 2014 at 1:38 PM, Tony Finch wrote:
> Wolfgang Rosenauer wrote:
>>
>> dnssec-validation auto;
>> dnssec-lookaside . trust-anchor dlv.isc.org.;
>
> Why not use dnssec-lookaside auto; ?
No strong reason. I found many examples how to set it up during the
last two days
Wolfgang Rosenauer wrote:
>
> dnssec-validation auto;
> dnssec-lookaside . trust-anchor dlv.isc.org.;
Why not use dnssec-lookaside auto; ?
Tony.
--
f.anthony.n.finchhttp://dotat.at/
West Forties, Cromarty, Forth, Tyne, Dogger: Northerly or northwesterly 5 or
6, decreasing 4.
Hi,
I'm pretty much new to DNSSEC and try to deploy my first bind to
support it correctly.
My bind version is 9.9.4P2 and what I did is the following just to
allow DNSSEC verification (no zone management yet):
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside . t
16 matches
Mail list logo
