nty of any kind.
- Original Message -
> From: "Michal Nowak"
> To: "bind-users"
> Sent: Tuesday, March 25, 2025 1:09:36 PM
> Subject: Re: isc-bind service shutdown after update at 9.20.7-1.2.el8
> Hi,
>
> I can reproduce your problem when I se
rt de Michal Nowak
Envoyé : 25 mars 2025 13:10
À : bind-users@lists.isc.org
Objet : Re: isc-bind service shutdown after update at 9.20.7-1.2.el8
Hi,
I can reproduce your problem when I setup chroot.
Tho, I think this is the expected behaviour unless you setup the systemd notify
socket inside the c
s Joël wrote:
Hello,
Thanks for your reply, this help me to point in the good direction! The problem is in the startup file for the
service /usr/lib/systemd/system/isc-bind-named.service (this file is modify by the 9.20.7 update). When i try to use
the option "Type=notify" or the o
Hello,
Thanks for your reply, this help me to point in the good direction! The
problem is in the startup file for the service
/usr/lib/systemd/system/isc-bind-named.service (this file is modify by the
9.20.7 update). When i try to use the option "Type=notify" or the
For BIND 9.20.7 and 9.21.6 we changed the service type from "forking" to
"notify", also ExecStart now has the "-f" option:
-[Service]
-Type=forking
-ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named
+[Service]
+Type=notify
+ExecStart=/opt/isc/isc-bind/root/usr/sbin/named -u named -f
Coul
This looks like named is not sending the systemd notifications to the
supervisor. Is there anything unusual on your system? Are those stock ISC
packages?
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside
Hi everyone,
After updating my isc-bind packages from 9.20.6-1.2 to 9.20.7-1.2, i try
to start the service but it always « shutdown » by himself. My server is a
Rocky Linux 8.10 and with the old version (9.20.6) everything is working fine
since many mounths. Here is a the part of the out
not feel
obligated to reply outside your normal working hours.
> On 31. 1. 2025, at 12:48, Support Info wrote:
>
>
> Hello,
>
> Following the CVE cve-2024-11187 and cve-2024-12705 concerning Bind9 I have
> two debian servers whose repository cannot find the update:
>
Hello,
Following the CVE cve-2024-11187 and cve-2024-12705 concerning Bind9 I have two
debian servers whose repository cannot find the update:
apt-cache policy bind9
bind9:
Installed: 1:9.18.28-1~deb12u2
Candidate: 1:9.18.28-1~deb12u2
To patch to 9.18.33 Extended Support (ES), what do you
::1#50908/key
local-ddns: updating zone 'galbraiths.ca/IN': deleting rrset at
'angmar.galbraiths.ca'
Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key
local-ddns: updating zone 'galbraiths.ca/IN': could not get zone keys
for secure dynamic upd
5020 ::1#50908/key
local-ddns: updating zone 'galbraiths.ca/IN': could not get zone keys
for secure dynamic update
Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key
local-ddns: updating zone 'galbraiths.ca/IN': RRSIG/NSEC/NSEC3 update
failed: not found
Oct
r/lib/bind/db.dyn.example.com
<http://db.dyn.example.com/>";
update-policy {
grant local-ddns zonesub any;
grant * self . any;
};
};
/var/lib/bind/db.dyn.example.com <http://db.dyn.example.com/>:
$ORIGIN .
$TTL 60
dy
ctory "/var/cache/bind";
dnssec-validation no;
listen-on { any; };
listen-on-v6 { none; };
};
/etc/bind/named.conf.local:
zone "dyn.example.com" {
type primary;
masterfile-format text;
check-names ignore;
file "/var/lib/bind/db.dyn.ex
On 04/03/2024 14:06, Jiaming Zhang wrote:
Then I should download the source, there's no devel package for this one in the
repo.
That's not necessary. Oracle Linux keeps many of the -devel packages in
its "codeready_builder" repository, which is not enabled by default. As
root, you need to r
On 04. 03. 24 14:06, Jiaming Zhang wrote:
Then I should download the source, there's no devel package for this one
in the repo.
First question is if you need to compile yourself. Most people don't and
can use precompiled packages. Have a look here:
https://kb.isc.org/docs/isc-packages-for-bin
with the Dutch Chamber of Commerce trade register with number
85744115.
Van: Anand Buddhdev
Verzonden: Monday, March 4, 2024 2:04:35 PM
Aan: Jiaming Zhang ; bind-users@lists.isc.org
Onderwerp: Re: Update to 9.18 failed due to libuv
On 04/03/2024 13:56, Jiaming
On 04/03/2024 13:56, Jiaming Zhang wrote:
Hi Jiaming,
Recently I was trying to upgrade bind from 9.16 to 9.18. However, running
`./configure` return an error stating the `libuv` was not found. I have this
library installed (version 1.41.1) via dnf, and can can find it using `rpm -ql`
which s
Dear community,
Recently I was trying to upgrade bind from 9.16 to 9.18. However, running
`./configure` return an error stating the `libuv` was not found. I have this
library installed (version 1.41.1) via dnf, and can can find it using `rpm -ql`
which shows the library is under `/usr/lib64`. I
Hi Mounika
If you connect to a secondary nameserver to accept dynamic zone updates you
have to configure on the secondary inside the slave zone section a statement:
allow-update-forwarding { dhcp-updates; };
...where "dhcp-updates" is an ACL (that could be na
On 14.02.24 17:06, trgapp16 via bind-users wrote:
I configured Bind 9.18.12 as slave DDNS with dynamic updates from DHCP (ISC
DHCP 4.4)
running on the same server (Ubuntu 22.04 server)
When I run "named-checkconf named.conf", I get the following error
"named.conf:2018: optio
Hello,
I configured Bind 9.18.12 as slave DDNS with dynamic updates from DHCP (ISC
DHCP 4.4)
running on the same server (Ubuntu 22.04 server)
When I run "named-checkconf named.conf", I get the following error
"named.conf:2018: option 'allow-update' is no
Hi,
Disabling inline-signing is a good workaround. The issue is that BIND
with inline-signing maintains a signed file separately and needs to bump
the SOA SERIAL.
The serial queried is for the DNSSEC signed zone, but the dynamic update
is done against the unsigned version of the zone. Hence
Am 08.07.2023 um 08:48 schrieb Matthias Fechner:
If I try now to update some records remotely on the server I see in
the log of the server:
==> /var/named/var/log/named.log <==
08-Jul-2023 07:40:22.962 update-security: info: client @0x848ac0760
93.182.104.69#18475/key idefix.fechn
Hi,
Have a look at nsupdate
(https://bind9.readthedocs.io/en/v9.18.19/manpages.html#nsupdate-dynamic-dns-update-utility)
as well. This can be used to update the zone without direct editing
and thus no need for freezing and thawing.
Thank you,
Darren Ankney
On Fri, Sep 22, 2023 at 3:43 PM Jan
. There is no way to
inhibit this. Note also, that the zone file must not be edited by hand without
prior `rndc freeze' and subsequent `rndc thaw', and note that freezing a zone
forbids updates.
As a side note I'd like to recommend using the much more granular `update
policy' on th
Hello!
I´m using Bind 9.11 .
I´m automating my dns server with ansible (nsupdate module). To do this I
enabled the configuration directive allow-update. After the first automated
name change, my zone file was unformatted. I lost the comments and more
than 500 occurrences of the ORIGIN parameter
Am 05.07.2023 um 13:13 schrieb Matthias Fechner:
So far, nsdiff generates expected output, next step is now to apply
the changes in an automated way.
If I try now to update some records remotely on the server I see in the
log of the server:
==> /var/named/var/log/named.log <==
08-Ju
Hi Nick,
Am 04.07.2023 um 08:17 schrieb Nick Tait via bind-users:
It looks like nobody solved your /original/ problem? If you are still
looking for an answer it might help if you posted some logs? The
people on this list are good at interpreting any errors you're seeing. :-)
thanks a lot for
Am 04.07.2023 um 10:16 schrieb Matthew Seaman:
By default, the primary server will end up with a `fetchner.net` zone
data file in text format which contains the pretty much the same RRs
as your master copy in git, but reformatted into a standard style,
sorted into order and with comments stri
On 03/07/2023 19:36, Matthias Fechner wrote:
What I understood from the documentation:
*-s* /server/[#/port/]
I can maintain e.g. my zones from my local computer at home inside a git
repository and use nsdiff and nspatch to push the changes to the server
in the internet?
Correct.
Does the s
2/07/23 11:29 PM (GMT+12:00) To: bind-users@lists.isc.org Subject: How
to update zone with dnssec-policy Dear all,I have the following problem that
changes in a zone file do not get active, no matter if I reload the zone using
rndc or restarting bind 9.16.42 on FreeBSD.If I update a zone I edi
given you set up zone
policies and distribute keys appropriately. Although if you run nsdiff
directly on your primary DNS machine, you should be able to use the
built-in /var/run/named/session.key with a per-zone policy like:
```
update-policy {
grant local-ddns z
On 02/07/2023 12:27, Matthias Fechner wrote:
I have the following problem that changes in a zone file do not get
active, no matter if I reload the zone using rndc or restarting bind
9.16.42 on FreeBSD.
If I update a zone I edit the zone file, adapt the serial in the SOA and
normally do a rndc
Dear all,
I have the following problem that changes in a zone file do not get
active, no matter if I reload the zone using rndc or restarting bind
9.16.42 on FreeBSD.
If I update a zone I edit the zone file, adapt the serial in the SOA and
normally do a rndc reload fechner.net.
The
> On 24 May 2023, at 13:59, Patrick Rynhart wrote:
>
> Currently we have (for our Master zone) a list of IPs that can update
> our DNS master using the allow-update statement:
>
> zone "redacted.ac.nz" {
> type master;
> allow-update {
>
Currently we have (for our Master zone) a list of IPs that can update
our DNS master using the allow-update statement:
zone "redacted.ac.nz" {
type master;
allow-update {
::1;
127.0.0.1;
131.123.103.2;
131.123.88.3;
...
}
We are wanting to transition to the m
not feel
obligated to reply outside your normal working hours.
> On 14. 3. 2023, at 19:00, Vladimir Brik
> wrote:
>
> Thanks, quoting worked!
>
> Does anybody know if the socket of an "external" update-policy supposed to
> receive data for every dynamic DNS up
Hi Vlad,
Did you specify the socket filename (/tmp/sock from your update-policy
example) when running it? According to the man page:
https://bind9.readthedocs.io/en/v9_18_11/manpages.html#nsupdate-dynamic-dns-update-utility
the final argument for the command line is an optional filename. If
not
Thanks, quoting worked!
Does anybody know if the socket of an "external"
update-policy supposed to receive data for every dynamic DNS
update?
I `strace`ed the `named` process and pushed some updates
using nsupdate, but I saw no attempts to do anything with
the socket file (no
I haven't used this personally, but in the system tests, this works:
update-policy {
grant administra...@example.nil wildcard * A SRV CNAME;
grant testden...@example.nil wildcard * TXT;
grant "local:/tmp/auth.sock" e
Hello
I am trying to set up an "external" dynamic DNS update
policy but I can't figure out the syntax.
The documentation [1] says that the "identity" field needs
to be in the form local:PATH, but using something like the
following results in an error: "
Thanks Mark - that was the issue :-)
I really, really appreciate the help
Cheers
Dulux-Oz
On 04/02/2023 23:21, Mark Andrews wrote:
Add DHCID to the list of record types permitted to be updated by the DHCP
server.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fro
"dnssec_log";
> "default_debug";
> };
> category "default" {
> "default_syslog";
> "default_debug";
> "default_log";
> };
> category "delegation-only" {
>
"default_log";
};
category "delegation-only" {
"auth_servers_log";
"default_debug";
};
category "edns-disabled" {
"auth_servers_log";
"default_debug";
};
category "lame-
You need to replace the rule type with something more appropriate for the type
of update being preformed. For the updates made by the DHCP server I would use
“zonesub”. “name” is fine for LetsEncrypt.
update-policy {grant update-key zonesub A ;};
update-policy {grant
e able to help you.
>
> That being said, your update policy statements don't look correct to
> me. Have you tried to load them with BIND? Do they pass syntax check?
> The reason they don't look right is that they seem to follow this
> format correctly:
>
> # (grant | deny )
You would probably need to attach your entire named.conf file (with
sensitive bits (keys and the like) redacted
named-checkconf -px
is your friend: prints out the named.conf and included files in canonical form
if no errors were detected and obscures shared secrets by replacing them with
str
You would probably need to attach your entire named.conf file (with
sensitive bits (keys and the like) redacted and perhaps subnets
obscured to examples such as 192.0.2.0/24, for example) before anyone
would be able to help you.
That being said, your update policy statements don't look corre
Hi All,
I'm pretty new to configuring Bind and so it would be great if
someone(s) could just check my code re: the update-policy zone
command(s) below - thanks in advance.
For the first zone (a regular internal forward-lookup zone) I'd like to
be able to update (from Kea via ddns
Saw this at startup:
18:09:14.595420 IP (tos 0x0, ttl 57, id 35985, offset 0, flags [none], proto
UDP (17), length 1167)
192.58.128.30.53 > 24.116.100.90.53955: [udp sum ok] 64207*- q: DNSKEY? .
4/0/1 . DNSKEY, . DNSKEY, . DNSKEY, . RRSIG ar: . OPT UDPsize=1472 DO (1139)
18:09:14.597537 IP (
> On May 14, 2022, at 12:35 AM, Matus UHLAR - fantomas
> wrote:
>
> On 13.05.22 10:06, Philip Prindeville wrote:
>> After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started
>> seeing a lot of:
>>
>>
>> May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature
On 24-10-2022 15:14, PGNet Dev wrote:
The good news it is not stuck.
What indicator flags that it IS 'stuck'? Is it explicitly logged?
Because the keymgr logs says it is just waiting time?
2022-10-21T16:55:22.690622-04:00 ns named[36683]: 21-Oct-2022
16:55:22.689 dnssec: debug 1: keymgr:
The good news it is not stuck.
What indicator flags that it IS 'stuck'? Is it explicitly logged?
BIND is waiting to make sure the new DS is also known to the validators. The
time being evaluated here is the DS TTL, plus parent-propagation-delay, plus
retire-safety. All these three values ar
Hi,
On 21-10-2022 23:05, PGNet Dev wrote:
I exec
rndc dnssec -checkds -key 63917 published example.com IN external
with dnssec loglevel -> debug, on exec, in logs
2022-10-21T16:55:22.690603-04:00 ns named[36683]: 21-Oct-2022
16:55:22.689 dnssec: debug 1: keymgr: examine KSK
example
I exec
rndc dnssec -checkds -key 63917 published example.com IN external
with dnssec loglevel -> debug, on exec, in logs
2022-10-21T16:55:22.690603-04:00 ns named[36683]: 21-Oct-2022 16:55:22.689
dnssec: debug 1: keymgr: examine KSK example.com/ECDSAP256SHA256/63917 type DS
in state R
grep DSState Kexample.com.+013+63917.state
!! DSState: rumoured
ds state is still just "rumoured".
What additional steps are needed to update that DSState correctly?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC fun
Hello all,
I have a problem that my DHCPv6 DDNS update which works reliably with
IPv4 doesn't work at all when we implemented
the dual-stack operation. There is not even a warning, notice or error
in the log. No syntax errors in the config /etc/dhcp/dhcpd6.conf file.
We are running Debi
Hello all,
I have a problem that my DHCPv6 DDNS update which works reliably with
IPv4 doesn't work at all when we implemented
the dual-stack operation. There is not even a warning, notice or error
in the log. No syntax errors in the config /etc/dhcp/dhcpd6.conf file.
We are running Debi
Using nsupdate when I try to delete an MX record for a domain, I get REFSUED.
REFUSED is also reported when attempting to update a non-dynamic zone. Are you
sure the zone you're trying to update is actually dynamic?
How do I remove and replace the MX record for a domain with nsupdate?
@lbutlr wrote:
> Using nsupdate when I try to delete an MX record for a domain, I get
> REFSUED.
>
> When I try to add an MX record with the same priority (or not), it
> leaves the old record as well.
>
> How do I remove and replace the MX record for a domain with nsupdate?
Show your procedure.
--
Mark Andrews
> On 5 Jun 2022, at 06:37, @lbutlr wrote:
>
> Using nsupdate when I try to delete an MX record for a domain, I get REFSUED.
>
> When I try to add an MX record with the same priority (or not), it leaves the
> old record as well.
>
> How do I remove and
Using nsupdate when I try to delete an MX record for a domain, I get REFSUED.
When I try to add an MX record with the same priority (or not), it leaves the
old record as well.
How do I remove and replace the MX record for a domain with nsupdate?
--
A woman stays up all night with two men
On 13.05.22 10:06, Philip Prindeville wrote:
After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started seeing
a lot of:
May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature found
May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature
fou
Your MTU is not the point. It's what happens beyond your equipment that may
have a bearing. However, as I said, I don't think IP fragmentation will be
your problem in this case, so that's a whole other discussion for a
different day.
pcaps are your friend though. From a packet capture you can see e
My MTU is 1500 bytes, so I don't think that's the problem.
But UDP can fragment via IP...
> On May 13, 2022, at 10:34 AM, Greg Choules
> wrote:
>
> Hi Philip.
> Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker and
> just traced what happens going from "dnssec-validat
Hi Philip.
Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker
and just traced what happens going from "dnssec-validation no;" to
"dnssec-validation auto;" It makes a DNSKEY query for "." to one of the
roots. The response size was over 900 bytes, so depending on what UDP
paylo
After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started seeing
a lot of:
May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature found
May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature
found
May 12 19:24:06 OpenWrt named[11061]: no val
On 2022 Apr 12, at 18:25, @lbutlr wrote:
>
> My secondary DNS server (bind916-9-16-27) is reporting:
>
> managed-keys-zone: Failed to create fetch for DNSKEY update
Named.conf relevant settings (I think) are:
recursion yes;
allow-query { any; };
all
My secondary DNS server (bind916-9-16-27) is reporting:
managed-keys-zone: Failed to create fetch for DNSKEY update
At this point it only respond SERVFAIL to all queries.
The secondary DNS is a spare machine that is not used for anything else but
DNS, so no one has touched it other than to
rles D
Cc: bind-users@lists.isc.org
Subject: [EXTERNAL] Re: NOTAUTH on dynamic update followed by approved update
Hellige, Charles D wrote:
> We have been using nsupdate for some time without issue. We recently
> started seeing NOTAUTH failures in the named logs followed by
> success
AUTH) errors before we finally get a
> successful message.
My wild guess is that someone is using a DNS UPDATE client that has a
noisy and blundering algorithm for working out which zone it is updating.
In a DNS UPDATE message, the first section (corresponding to the question
section in a n
message.
config : zone "ops.company.com" { type master; file
"/usr/local/etc/namedb/grn/fwd/ops.company.com.db"; allow-update { key
"grn-mid"; }; };
11-Mar-2022 10:07:19.748 update: info: grn-mid: view GRN: updating zone
'ops.company.com/IN': update f
PM, Crist Clark wrote:
Looks like you're trying to use the setup in that serverfault link.
That example only works on an internal network. I thought the
186.198.193. part was enough to make the zone unique. But your
assertion is correct: I would collide if any other administrators on
other sub
s the name resolution is more stable with the
secondary (slave) servers for the zone.
Kind regards,
Mirsad Todorovac
On 13.12.2021. 9:25, Mirsad Goran Todorovac wrote:
Hello Crist,
The good news is that it seems that the dynamic DDNS update from DHCP
works!
See here a snap from /var/log/s
Hello Crist,
The good news is that it seems that the dynamic DDNS update from DHCP
works!
See here a snap from /var/log/syslog:
Dec 13 07:36:20 domac dhcpd[26031]: DHCPDISCOVER from 1c:66:6d:90:0b:f7
(ALU-ZAG-14) via 193.198.186.193
Dec 13 07:36:20 domac dhcpd[26031]: DHCPOFFER on
to make the zone unique. But your
assertion is correct: I would collide if any other administrators on
other subnets in range 193.198.186.0/24 decide to make reverse DHCP
DDNS update in the future. Thanks for the thought!
The point of the example I gave is that you are going to build your
own reverse
I thought the 186.198.193. part was enough to make the zone unique.
But your assertion is correct: I would collide if any other
administrators on other subnets in range 193.198.186.0/24 decide to
make reverse DHCP DDNS update in the future. Thanks for the thought!
The point of the example I gave
link.
That example only works on an internal network.
I thought the 186.198.193. part was enough to make the zone unique.
But your assertion is correct: I would collide if any other
administrators on other subnets in range 193.198.186.0/24 decide to
make reverse DHCP DDNS update in the future. Thank
verse DHCP
DDNS update in the future. Thanks for the thought!
The point of the example I gave is that you are going to build your
own reverse zone inside of a zone you control on the Internet. Now
that you've given some examples, I can perhaps make it more obvious
what I'm suggesting. Your
BIND 9 is great open source server with lots of bells and
> whistles. But right now I can't study all those and I just want to survive,
> providing a solution fast enough for our uplevel sysadmins.
>
> The /etc/bind/named.conf.local part looks like:
>
> zone "192/27.186.1
oks like:
zone "192/27.186.198.193.in-addr.arpa" in {
type master;
file "/etc/bind/zones/192-27.186.198.193.in-addr.arpa.db";
};
zone "186.198.193.dhcp" in {
type master;
file "/var/cache/bind/186.198.193.dhcp.db";
all
CNAME 193.186.198.193.rev.example.com
<http://193.186.198.193.rev.example.com>.
194 IN CNAME 194.186.198.193.rev.example.com
<http://194.186.198.193.rev.example.com>.
…
On Fri, Dec 10, 2021 at 2:51 PM Mirsad Goran Todorovac
wrote:
Hello,
I have a problem with DHCP DDNS update to
, Dec 10, 2021 at 2:51 PM Mirsad Goran Todorovac <
mirsad.todoro...@alu.unizg.hr> wrote:
> Hello,
>
> I have a problem with DHCP DDNS update to BIND 9 reverse PTR zone subnet
> that is owned by several organizations, so I can't get a direct DHCP DDNS
> update access w
Hello,
I have a problem with DHCP DDNS update to BIND 9 reverse PTR zone subnet
that is owned by several organizations, so I can't get a direct DHCP
DDNS update access with a key or with hostname.
I have been delegated domain name |192-27.186.198.193.in-addr.arpa from
the upper level a
ed[3722]: dnssec: warning:
managed-keys-zone: Failed to create fetch for DNSKEY update
Nov 21 18:04:40 pole named[3722]: zoneload: info: zone ./IN:
loaded serial 2021112100 (DNSSEC signed)
Nov 21 18:04:40 pole named[3722]: zoneload: info: zone
10.in-addr.arpa/IN: loaded serial 2021080800
Nov 21
As far as I am aware - and what I have always done - the normal thing to do is
to use a hints file. Lately the hints are built-in, so nothing is really needed.
One question that comes to mind:
What happens if the slaved root zones are not up to date /not correct? might
that be the cause?
--
Be
Hija,
I finally found the cause of the error! As soon as I stop slaving
the root-zones and instead use the (configured or compiled-in)
hint-file, the error stops.
The actual error-condition (zone is not loaded) then becomes
obvious, because this RFC-5011 action happens very early, before
any
On Mon, Nov 15, 2021 at 09:14:19AM +0100, Ondřej Surý wrote:
! > On 15. 11. 2021, at 3:41, Peter wrote:
! >
! > Wondering
!
> On 15. 11. 2021, at 3:41, Peter wrote:
>
> Wondering
> * WHAT is broken?
> * Why does it happen only to me?
We can’t really help you if you don’t share any details of your installation
and configuration (hint: You can use `named-checkconf -px` to scrub the
configuration).
So far, you shared a
Hi all,
I continuousely happen to see this message:
> local0.warn named[2291]:
> dnssec: warning: managed-keys-zone: Failed to create fetch for DNSKEY update
I see it on different nameservers, at different sites, with and
without views, with and without IPv6, and I see it every time when
On 11/10/2021 6:25 AM, Giddings, Bret wrote:
Is there any other facility for including effectively the same grant
statements within multiple zones?
I am not aware of any
--
Do things because you should, not just because you can.
John Thurston907-465-8591
john.thurs...@alaska.gov
Departm
Hello,
I want to use the same update-policy grant statements multiple times in
different zones and would therefore prefer to use something like an ACL.
It doesn’t appear to be the case that you can create something like
acl “FOO” {
grant EXAMPLE.COM krb5-self . A ;
grant * tcp-self . PTR(1
not required; you already had "update-policy local;"
which gives you a key to use with nsupdate(8)'s -l option. This is
a perfectly valid way to maintain zone data, and in my opinion much
better than editing zone files and inline-signing. You have taken a
step backwards.
This has
Wow. Thanks so much for all the responses. Really appreciate it. They made me
truly realize that a lot on the info on the net may be either incomplete or
just old. I understand a bit better now.
I added the line inline-signing yes; as was suggested and reloaded bind. I am
now seeing the .signed,
Peter Fraser wrote:
>
> I am using bind-9.14.x and here are the DNSSEC related entries in the zone.
>
> auto-dnssec maintain;
> update-policy local;
> key-directory “zones/domain-keys”;
How you go about this depends on whether your configuration enables
`inline-signing` or not.
bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Peter
Fraser
Sent: Sunday, May 09, 2021 8:49 PM
To: bind-users@lists.isc.org
Subject: Update DNSSEC Zone
HI All,
I really would appreciate a pointer in the right direction. I took over a bind
server recently. I am not new to bind. I
update the DNSSEC zone. Can
anyone assist me please? I did see one site that said I could just put in
regular A record entries and run rndc reload and that would resign the zone. I
tried that but it didn’t work.
I am using bind-9.14.x and here are the DNSSEC related entries in the zone.
auto
2 add the KAM ruleset: https://mcgrail.com/template/projects#KAM1
Regards,
KAM
On 4/27/2021 9:47 AM, Turritopsis Dohrnii Teo En Ming wrote:
Subject: [UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail
Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
Good day from Singapore,
I fol
Subject: [UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail
Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
Good day from Singapore,
I followed linuxbabe.com's Xiao Guoan's guide and successfully setup a
full featured Linux mail server on Ubuntu 18.04.5 LTS with IRedMail
1.4.
location may be an contributing factor.
I coulda sworn I’d fixed that before...
I would not be surprised if a system update accidentally overwrote a
tweak to a SELinux policy.
If you can't tell, I prefer to leave things enabled at the security
posture they are at and provide exception
1 - 100 of 588 matches
Mail list logo
