Re: DNSSEC Validation not working

Hi Luca, This is correct: dnssec-validation auto; If you use "yes" there, then you must supply a trust anchor. Auto is the default. The only idea I have is this: zone "." IN { type hint; file "named.ca"; }; You don't need this anymore. BIND 9.18 wil

DNSSEC Validation not working

ou MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-validation aut

RE: Questions about "dnssec validation" statement

Thanks I'll try that. -Original Message- From: Evan Hunt Sent: Thursday, March 6, 2025 1:46 PM To: Chris Isaksen Cc: bind-users@lists.isc.org Subject: Re: Questions about "dnssec validation" statement On Thu, Mar 06, 2025 at 12:56:08PM +, Chris Isaksen wrote: >

Re: Questions about "dnssec validation" statement

Hi Chris If you've got your global options set similarly to this options { dnssec-validation auto; // Global validation enabled // ... other options ... }; Have you been able to try something along the lines of this? zone "no-dnssec.example" { type forward; forward

Questions about "dnssec validation" statement

I was wondering if dnssec validation could be set to auto in the options section and then set it to 'no' in a particular zone? We would like to use "dnssec validation auto" but a few forwarding zones we have, we know do not use dnssec and queries fail if it's not se

Re: Questions about "dnssec validation" statement

On Thu, Mar 06, 2025 at 12:56:08PM +, Chris Isaksen wrote: > I was wondering if dnssec validation could be set to auto in the options > section and then set it to 'no' in a particular zone? > > We would like to use "dnssec validation auto" but a few forwarding

RE: Questions about "dnssec validation" statement

05 AM To: Chris Isaksen Cc: bind-users@lists.isc.org Subject: Re: Questions about "dnssec validation" statement Hi Chris If you've got your global options set similarly to this options { dnssec-validation auto; // Global validation enabled // ... other options ... }; Have

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Thanks Mark. It's right there in the log. Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mail

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Named will tell you which DNSSEC algorithms it supports. Depending upon the OS and its configuration this may differ. DNSSEC algorithms: RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 vs DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384S

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Would this be true for FreeBSD as well? I also have a bind 9.18.24 instance running on freeBSD and it seems to be ok. Bob > The crypto policy stuff ultimately creates and maintains files in /etc/crypto-policy/backends, which has a list of acceptable or not-acceptable crypto settings. > Whilst a

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

art From: bind-users on behalf of John Thurston Date: Thursday, 18 April 2024 at 06:39 To: "bind-users@lists.isc.org" Subject: Re: Answers for www.dnssec-failed.org with dnssec-validation auto; Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock had fall

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock had fallen on my head. I know I can re-enable SHA1 for everything on the host with: update-crypto-policies --set DEFAULT:SHA1 But that's a fairly broad stroke, when only 'named' needs to accept such signatures. Is

Re: Answers for www.dnssec-failed.org with dnssec-validation auto; (John Thurston)

My bind 9.18.24 server runs under Debian. When I query with dig it appears to take long enough to resolve that it goes to the next DNS server in the client's IP stack. The secondary server in my list is quad9. It seems to resolve correctly. If I point to the address of my Debian server, it works bu

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

"ns88-testPrimary-key";     }; }; options {     directory "/var/opt/testPrimary/named/data";     dump-file "cache_dump.db";     listen-on port 1053 {     127.0.0.1/32;         };

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

dump-file "cache_dump.db";     listen-on port 1053 {     127.0.0.1/32;     };     querylog yes;     dnssec-validation auto;     empty-zones-enable no;     recursion yes; }; key "ns88-testPrimary-key" {     algorithm "hmac-sha256";  

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

On 17/04/2024 11:41, John Thurston wrote: I'm seeing strange behavior with a BIND 9.18.24 resolver and dnssec-failed.org. With no dnssec-validation line (or with "dnssec-validation auto") in the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected . . u

Answers for www.dnssec-failed.org with dnssec-validation auto;

I'm seeing strange behavior with a BIND 9.18.24 resolver and dnssec-failed.org. With no dnssec-validation line (or with "dnssec-validation auto") in the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected . . until it doesn't. After several seconds of a

FW: dnssec-validation? SOLVED

Hello. I just want to say everything seems to be working on my domain, and my primary dns server already performs validation Dnssec-validation is set to auto, like on the secondary dns, and it's working. When I perform Dig @dns www.dnssec-failed.org it already returns SERVFAIL and the rest

RE: dnssec-validation?

are (again) my named.conf on the primary and secondary server to find why dnssec-validation needs to be off on the primary. Thanks! David -Original Message- From: Mark Andrews Sent: 14 April 2023 02:35 To: David Carvalho Cc: Evan Hunt ; bind-users@lists.isc.org Subject: Re: dnssec-

Re: dnssec-validation?

r my > domain. > > A few months ago I updated both dns servers to Oracle Linux 8, running BIND > 9.16.23 to prepare for this. > They seem to be working fine as previously, running as both recursive and > authoritative for di.ubi.pt. > > DNS2 has still "dnssec-validation a

RE: dnssec-validation?

me I reconfigure and reload, I would stick with this version. Regards David -Original Message- From: Evan Hunt Sent: 13 April 2023 18:08 To: David Carvalho Cc: bind-users@lists.isc.org Subject: Re: dnssec-validation? On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote: > P

Re: dnssec-validation?

On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote: > Problem number 1: Dnssec seems to be running on "di.ubi.pt", but > dnssec-validation still needs to be set to no; Will this cause troubles? > Dns2 is set to auto and runs fine. >From here, di.ubt.pt appears

RE: dnssec-validation?

Hello again. Problem number 1: Dnssec seems to be running on "di.ubi.pt", but dnssec-validation still needs to be set to no; Will this cause troubles? Dns2 is set to auto and runs fine. Problem number 2: How can I avoid the key regeneration (using version 9.16.23) every named resta

RE: dnssec-validation?

to prepare for this. They seem to be working fine as previously, running as both recursive and authoritative for di.ubi.pt. DNS2 has still "dnssec-validation auto;" on its /etc/named.conf. I've found out that if I wanted my primary server to start answering my internal requests for

Re: dnssec-validation?

On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users wrote: > After reverting my primary dns configuration, and asking my provider to > remove the DNSKEY, I had to include dnssec-validation no; otherwise it would > keep answering with SERVFAIL > > I noticed

dnssec-validation?

record to parent domain, the test performed by dnssec-analyzer showed everything ok, nevertheless, all queries except those about my.domain were Rejected with SERVFAIL. dig @my.server or dig @localhost My secondary dns server hold everything while testing, and I noticed I had dnssec-validatio

Use of stale data during dnssec validation

Today, we had a case where one of our resolvers (9.16.37) failed to return an SOA-record for the TLD 'us'. digging with the +cd flag, returned a value, while delving with +vtrace failed: ;; fetch: us/SOA ;; resolution failed: SERVFAIL Fingers pointed to a failure to validate. I dumped the cach

Re: Finding dnssec validation failures in the logs

nt higher confidence that I'm > recognizing the important lines in the logs before I start casting stones. > > -- > Do things because you should, not just because you can. > > John Thurston907-465-8591 > john.thurs...@alaska.gov > Department of Administration >

Re: Finding dnssec validation failures in the logs

can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska On 1/24/2023 5:26 AM, Michael Richardson wrote: John Thurston wrote: > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am > writing "cat

Re: Finding dnssec validation failures in the logs

John Thurston wrote: > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am > writing "category dnssec" to a log file  at "severity info;"  When I look in > the resulting log file, I'm guessing that lines like t

Re: Finding dnssec validation failures in the logs

guess it could mean someone is trying to serve up wrong answers ... Found many lines of 'no valid signature found’ I think you are probably OK. > On Jan 23, 2023, at 7:44 PM, John Thurston wrote: > > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I

Finding dnssec validation failures in the logs

On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am writing "category dnssec" to a log file  at "severity info;"  When I look in the resulting log file, I'm guessing that lines like this: validating com/SOA: got insecure response; pa

Re: DNSSEC validation via AD bit?

On 31. 01. 22 11:50, Tony Finch wrote: 2. Should sendmail not be trusting the AD bit in replies from the admin configured (i.e., trusted by admin) resolvers? It's dangerous territory. Sendmail isn't alone: for example, OpenSSH also relies on the AD bit to validate SSHFP records. But using AD is

Re: DNSSEC validation via AD bit?

Gregory Shapiro via bind-users wrote: > > Two questions: Slightly expanding on Mark's answers... > 1. Is there a reason when BIND is running as both a recursive server and > an authoritative server for a domain, it doesn't set the AD bit when > answering resolver queries for one of its authorita

Re: DNSSEC validation via AD bit?

> On 31 Jan 2022, at 10:45, Gregory Shapiro via bind-users > wrote: > > sendmail's implementation of DANE determines whether DNSSEC validation was > successful based on the presence of the AD bit in the response to the DANE > record lookup. > > An e

DNSSEC validation via AD bit?

sendmail's implementation of DANE determines whether DNSSEC validation was successful based on the presence of the AD bit in the response to the DANE record lookup. An equivalent dig lookup would be: % dig TLSA _25._tcp.smtp.gshapiro.net. ... ;; Got answer: ;; ->

Re: AW: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

On 27. 01. 22 16:05, Gehrkens.IT GmbH | Heiko Wundram wrote: Hello Tony, The other things that can cause the behaviour you observed are synth-from- dnssec and qname-minimization. thanks for the heads up concerning synth-from-dnssec; I thought the default was "no", but that seems to have chang

AW: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

Hello Tony, > The other things that can cause the behaviour you observed are synth-from- > dnssec and qname-minimization. thanks for the heads up concerning synth-from-dnssec; I thought the default was "no", but that seems to have changed somewhere between 9.14 and 9.16... I've just changed that

Re: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

Gehrkens.IT GmbH | Heiko Wundram wrote: > > From what I gather, this behaviour sounds almost like what RFC 8020 proposes > (NXDOMAIN cut), but at least according to the corresponding ticket, that > isn't implemented in BIND. The other things that can cause the behaviour you observed are synth-fro

Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

ch lists all of the forwarded zones. Generally, this works: in the views that should resolve the internal forwarded zone names, I can resolve them, and BIND also skips DNSsec validation for those zones. Now comes the but: if I resolve a zone name in .lan or .local which is not forwarded I g

Re: How to selectively skip DNSSEC validation?

type forward; > forward only; > forwarders { 192.168.0.7; }; > }; > > The options section of the file specifies > > recursion yes; > dnssec-enable yes; > dnssec-validation yes; > > Note that 192.168.0.7 is my local LAN address for my AREDN

Re: How to selectively skip DNSSEC validation?

}; > }; > > zone "10.in-addr.arpa." IN { >type forward; >forward only; >forwarders { 192.168.0.7; }; > }; > > The options section of the file specifies > >recursion yes; >dnssec-enable yes; >dnssec-valid

How to selectively skip DNSSEC validation?

rward only; forwarders { 192.168.0.7; }; }; zone "10.in-addr.arpa." IN { type forward; forward only; forwarders { 192.168.0.7; }; }; The options section of the file specifies recursion yes; dnssec-enable yes; dnssec-validation yes; Note

Re: Dnssec-validation auto

resolv.conf has only itself as dns server When using dnssec-validation AUTO, and turning on debug, the following is shown when I nslookup from my PC towards the server. 13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request is not signed 13-Nov-2020 11:09:18.998

Re: Dnssec-validation auto

NSSEC signed domain. Try debuging salesforce.com. domain verification instead. On 11/13/20 1:59 PM, Ismael Suarez wrote: > With "dnssec-validation AUTO;" I get: > > # delv +cd www.popularsba.com > ;; resolution failed: timed out > > > With "dnssec-validation N

Re: Dnssec-validation auto

With "dnssec-validation AUTO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out With "dnssec-validation NO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out ; unsigned answer www.popularsba.com. 279 IN CNAME

Re: Dnssec-validation auto

.00d1n02kxqqua0.gslb.siteforce.com. 4.0p13m008e6qcaq.00d1n02kxqqua0.gslb.siteforce.com. 102 IN A 161.71.31.253 Cheers, Petr On 11/13/20 5:26 AM, Ismael Suarez wrote: > Hi all > > The following domain (www.popularsba.com) does not resolve with dnssec > validation set to auto, but w

Dnssec-validation auto

Hi all The following domain (www.popularsba.com) does not resolve with dnssec validation set to auto, but when I change the validation off it works. Why is this? How can I check this validation? Using bind 9.12 Thanks to all ___ Please visit https

Re: About DNSSec-Validation=Yes and bind.keys

to include them yourself. Try adding: include "/etc/bind.keys"; to your configuration, if dnssec-validation yes; is used. Best Regards, Petr On 11/12/20 11:18 AM, Onur GURSOY wrote: > Hello Everyone, > I have some trouble about bin9 and dnssec > When i set dnssec-validatio

About DNSSec-Validation=Yes and bind.keys

Hello Everyone, I have some trouble about bin9 and dnssec When i set dnssec-validation to auto. My dns server is talking with google dns server (8.8.8.8 and 8.8.4.4) and when i set to dnssec-validation to yes it couldn't talk with google dns server. i have realized, there is no pre de

Re: Exempt .local from dnssec validation on resolver?

One may also want to disable synth-from-dnssec to prevent this NSEC record synthesising a negative response. loans. 4070IN NSEClocker. NS DS RRSIG NSEC If named gets a query for a name in the covered range it will learn the NSEC record and will synthesise a negative

Re: Exempt .local from dnssec validation on resolver?

On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote: > In 9.11, no. In 9.14, you can use "validate-except { local; };" (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation on a given domain, but negative trust anchors expire after a while, so you have to keep doing it

Re: Exempt .local from dnssec validation on resolver?

On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote: > Is there any way to tell my resolver it shouldn't be validating > responses for foo.local? In 9.11, no. In 9.14, you can use "validate-except { local; };" -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

Exempt .local from dnssec validation on resolver?

influence or control. The difficulty is if my named.conf contains: dnssec-validation auto; then I'm unable to return records for things like a.foo.local, and my log contains info-messages of the sort: --- lame-servers: info: insecurity proof failed resolving 'foo.local/SOA/IN

Re: DNSSEC validation via DLV

via bind-users Sent: Thursday, 18 July 2019 10:22 PM To: m...@posix.co.za; bind-users@lists.isc.org Subject: Re: DNSSEC validation via DLV Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update

Re: DNSSEC validation via DLV

On 19/07/2019 9:27 am, p...@vspace.co.za wrote: > > Problem being, no options exist as to export the DS record of co.za, com.au > or net.au domains to the respective registrars, being namecheap.com and > axxess.co.za. > Change registry right ? Crazy domains supports them for the ".com.au"

RE: DNSSEC validation via DLV

oned, >> though zones still exists that does not provide a fully signed path >> from root to zone, i.e. .com.au , co.za etc, how would an >> administrator enable / implement DNSSEC validation for these zones ? >> >> >> __

Re: DNSSEC validation via DLV

es still exists that does not provide a fully signed path >> from root to zone, i.e. .com.au , co.za etc, how would an >> administrator enable / implement DNSSEC validation for these zones ? >> >> >> ___ >> Please visi

Re: DNSSEC validation via DLV

th DLV (DNSSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation f

DNSSEC validation via DLV

With DLV (DNSSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation for these zones

Re: dnssec-validation auto vs yes

On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt wrote: > > On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > > The default BIND9 installation for CentOS7 has dnssec-validation set to > > "yes" and it also includes managed-keys as well. Do those

Re: dnssec-validation auto vs yes

Shawn Zhou via bind-users wrote: > Thanks Even. Sounds like "dnssec-validation auto" is a more > future-proof option for what want it. I will use that instead. My recommendation is to avoid configuring or installing root trust anchors, and let named handle all that itself.

Re: dnssec-validation auto vs yes

Thanks Even. Sounds like "dnssec-validation auto" is a more future-proof option for what want it. I will use that instead. On Wednesday, June 12, 2019, 5:25:51 PM PDT, Evan Hunt wrote: On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The

Re: dnssec-validation auto vs yes

On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The default BIND9 installation for CentOS7 has dnssec-validation set to > "yes" and it also includes managed-keys as well. Do those managed-keys > get updated automatically? Yes, if the "manag

dnssec-validation auto vs yes

Hi, The default BIND9 installation for CentOS7 has dnssec-validation set to "yes" and it also includes managed-keys as well. Do those managed-keys get updated automatically? It is not clear from reading  https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#dnssec-validation

I need you help to separate the DNSSEC validation process

Hi all, I need to setup my lab network to have my recursive DNS server (which runs bind v9.9.5) to be able to make partial DNSSEC validation where the client should be able to make the other half of the validation process. In particular, I need the DNS resolver to be able to validate the root

Re: BIND9.11.4-P1] What happens Combination with dnssec-enable yes; dnssec-validation no; in named.conf

Sunghwan Kim(IBI) wrote: > > I would like to know what happens if dnssec-enable yes; dnssec-validation > no; in named.conf are being setting. > > Does it come SERVFAIL ? No. (But see * below...) `dnssec-enable` is to do with handling of DNSSEC records and query flags: setting

BIND9.11.4-P1] What happens Combination with dnssec-enable yes; dnssec-validation no; in named.conf

Hi All, My running server is BIND-9.11.4-P1. I would like to know what happens if dnssec-enable yes; dnssec-validation no; in named.conf are being setting. Does it come SERVFAIL ? Regards, Sunghwan. -- (주)아이비아이(www.ibi.net) DNS사업부/본부장 02-2165-7234

DNSSEC validation option in BIND 9.10

Hi people, I have two BIND 9.10.3 servers with DNSSEC validation enabled, one in one client and the other in another client. Both BIND have the same configuration lines relative to DNSSEC validation: dnssec-validation auto; dnssec-enable yes; and both has the current and future key in bind.keys

Re: DNSSEC validation

assume the validation is > > already done at the recursive resolver. > > The resolver doesn't have to do DNSSEC validation itself (though of course > it's a good idea). It just needs to pass along signatures on request. If > you're using a resolver that doesn

Re: DNSSEC validation

strip off the signatures? I assume the validation is > already done at the recursive resolver. The resolver doesn't have to do DNSSEC validation itself (though of course it's a good idea). It just needs to pass along signatures on request. If you're using a resolver that doesn&#x

Re: DNSSEC validation

Thanks Warren. I will look into https://getdnsapi.net/ . Rgds simon On Tue, Feb 13, 2018 at 2:07 PM, Warren Kumari wrote: > On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > > Hello Evan, > > > > Thank you so much for the quick response. > > > > My requirement is to implement only the rec

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > Hello Evan, > > Thank you so much for the quick response. > > My requirement is to implement only the recursive resolve and validation > part of the DNSSEC in my client application. Our CPU and memory are very > limited. So I am not sure I can g

Re: DNSSEC validation

> Implementing a full resolver with a library is possible in BIND 9.12, > in which we spun off a lot of the name server code into a new libns > library. I can't point you to any sample code other than named itself, > though. > > Given what you said about limited CPU an

Re: DNSSEC validation

y, I can't really recommand either solution. I'd probably just use dnsmasq and turn on its DNSSEC validation option. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-use

Re: DNSSEC validation

Hello Evan, Thank you so much for the quick response. My requirement is to implement only the recursive resolve and validation part of the DNSSEC in my client application. Our CPU and memory are very limited. So I am not sure I can go and use BIND 9. With BIND 9, can I integrate the library in m

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote: > I am trying to implement the full recursive resolver with libbind library > in my client code. I am not using resolv.conf in my implementation. Can > anyone please help to point any sample code for this. Not even BIND uses libbind anymo

DNSSEC validation

Hello, I am trying to implement the full recursive resolver with libbind library in my client code. I am not using resolv.conf in my implementation. Can anyone please help to point any sample code for this. Thank you for your help and time. Rgds simon ___

Re: DNSSEC validation without current time

unsigned now, so that would work anyway. If I want spoof protection, what should I do? Do two passes. First: Use DNS without DNSSEC validation to obtain a list of NTP servers, and thereby determine the current time. Second: Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and

Re: DNSSEC validation without current time

t;>> be used in default installation image without manual configuration? And >>> how does it resolve that name, when date of the system is 1970-1-1 or >>> something a only a bit more accurate? >>> >>> Current pool.ntp.org adresses are unsigned now, so that would work &g

Re: Re: DNSSEC validation without current time

te of the system is 1970-1-1 or >> something a only a bit more accurate? >> >> Current pool.ntp.org adresses are unsigned now, so that would work >> anyway. If I want spoof protection, what should I do? > > Do two passes. First: Use DNS without DNSSEC validation

Re: DNSSEC validation without current time

do? Do two passes. First: Use DNS without DNSSEC validation to obtain a list of NTP servers, and thereby determine the current time. Second: Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and verify the time. The second pass might detect the list of IPs has changed and bypass

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Barry Margolin wrote: In article , "G.W. Haywood" wrote: On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? I think the issue is that he needs to resolve the hostname of the NTP server. Perhaps he c

Re: DNSSEC validation without current time

On 12/15/2017 08:10 AM, Timothe Litt wrote: I use an 19xLVC too (On Raspbian == Debian).  But I also have an RTC. GPS does have outages,  can take a while to get a fix, and NTP wants consensus.  So I use my GPS receiver as a local clock source (preferred), but also configure several servers fr

Re: DNSSEC validation without current time

In article , "G.W. Haywood" wrote: > Hi there, > > On Fri, 15 Dec 2017, Petr Men??k wrote: > > > ... current time is not available or can be inaccurate. > > ntpdate? I think the issue is that he needs to resolve the hostname of the NTP server. -- Barry Margolin Arlington, MA _

Re: Re: DNSSEC validation without current time

re to recompile a kernel that's configured > appropriately, I feel the clock can be synchronized to about 1us > accuracy. > > It is more or less reliable and value for $70 if one wants UTC on their > computer without accessing the internet. This is more than sufficient > for D

Re: DNSSEC validation without current time

On 15-Dec-17 06:45, Petr Menšík wrote: > Hi folks. > > I am looking for a way to validate name also on systems, where current > time is not available or can be inaccurate. > > This is related to booting with NTP client, when the only configuration > is hostname that has to be resolved. There is a

Re: DNSSEC validation without current time

Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): > Hi there, > > On Fri, 15 Dec 2017, Petr Men??k wrote: > >> ... current time is not available or can be inaccurate. > > ntpdate? > Sure, of course. What would be default host after installation, that can be used in default install

Re: DNSSEC validation without current time

Petr Menšík wrote: > > This is related to booting with NTP client, when the only configuration > is hostname that has to be resolved. There is a bit circle dependencies. Yes awkward, and there still aren't any convincing answers. One of the more interesting projects is https://roughtime.googlesou

Re: DNSSEC validation without current time

t 1us accuracy. It is more or less reliable and value for $70 if one wants UTC on their computer without accessing the internet. This is more than sufficient for DNSSEC validation and many other network services, and certainly more accurate than using the ntp.org poo

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing li

DNSSEC validation without current time

Hi folks. I am looking for a way to validate name also on systems, where current time is not available or can be inaccurate. This is related to booting with NTP client, when the only configuration is hostname that has to be resolved. There is a bit circle dependencies. First current time is requi

Re: dnssec validation issue

Hi Mukund > Are you able to reproduce the bug with the latest stock version of BIND > 9.9? 9.9.4 is very old and that branch has had numerous bugfixes since. > I'm not able to reproduce such a validation failure with 9.9.11: At the moment the latest patched version of bind available for Cen

Re: dnssec validation issue

Hi Ganga On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote: > With dnssec-validation turned on, resolving sites like www.icann.org > <http://www.icann.org/> fails. The alternative is to remove validation > which of course is not the desired solution. Are you able t

Re: dnssec validation issue

On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote a message of 677 lines which said: > # dig @localhost www.icann.org A +dnssec When you suspect a DNSSEC issue, always retry dig with +cd (Checking Disabled). And post the result. ___

Re: dnssec validation issue

Ganga R. Dhungyel wrote: > > **debug log > > 23-Aug-2017 16:17:57.567 dnssec: debug 3: > validating @0x7f3ffc96e4d0: www.vip.icann.org A: > attempting insecurity proof > > With dnssec-validation turned on, resolving sites like www.icann.org fails. I think th

dnssec validation issue

t; }; allow-query-cache {localhost; my-net; }; flush-zones-on-shutdown yes; version "UNNECESSARY"; dnssec-enable yes; dnssec-validation auto; ## tried with yes but no difference random-device "/dev/urandom"; managed-keys-directory &

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 15:07, Evan Hunt wrote: On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: On 10/12/16 13:36, Evan Hunt wrote: I recommend using "delv" instead. "dig +sigchase" isn't good code. ? well that is news to me :-\ It's code that was contributed over ten years ago; we put

Re: dnssec-validation [ ddig_sigchase option ]

On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: > On 10/12/16 13:36, Evan Hunt wrote: > > I recommend using "delv" instead. "dig +sigchase" isn't good code. > > ? well that is news to me :-\ It's code that was contributed over ten years ago; we put it into dig (hidden behind #ifd

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 13:36, Evan Hunt wrote: On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote: Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" I recommend using "delv" instea

  1   2   3   >