on.
>
> This advice may be misunderstood. Use of dlv.isc.org is usually
> implied, not explicitly stated in named.conf, typically via
>
> dnssec-lookaside auto;
>
> (or "yes"). This should (most probably) be changed to
>
> dnssec-lookaside no;
>
> I don&#x
amed.conf, typically via
dnssec-lookaside auto;
(or "yes"). This should (most probably) be changed to
dnssec-lookaside no;
I don't have the cross-reference of what the default value has been
for this option up through the history of BIND, so explicitly setting
it to "no&
We apparently let our signatures on dlv.isc.org expire. We are fixing it now.
We apologize for this.
This was an accident - we did *not* do this on purpose - but infact, this is a
good time for anyone who still has dlv.isc.org configured to REMOVE it from
your BIND configuration. The zone is em
Hello,
I unfortunately got hit by the key expiration or whatever just happened about
an hour ago that caused the "dnssec-lookaside auto" command to crush all of our
DNS queries.
I realize that it wasn't doing anything but we left the command in there
because it had been in t
Dnia 2010-12-28 09:26 Eivind Olsen napisał(a):
>> >> trying to resolve www.microsoft.com or microsoft.com results in a
>> >> "connection timed out; no servers could be reached"
>>
> >
> >Well, for what it's worth - it's not just you having that issue. When
> >testing from home and from work
ew
> _default, file 'managed-keys.bind'
> Dec 20 07:49:14 sarlac named[4137]: reloading configuration succeeded
> Dec 20 07:49:15 sarlac named[4137]: managed-keys-zone ./IN: loaded serial 16
> Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: loaded serial
> 2010110
rlac named[4137]: reloading configuration succeeded
Dec 20 07:49:15 sarlac named[4137]: managed-keys-zone ./IN: loaded serial 16
Dec 20 07:49:15 sarlac named[4137]: zone torinthiel.pl/IN: loaded serial
2010110801
Dec 20 07:49:15 sarlac named[4137]: reloading zones succeeded
Dec 20 07:49:15 sarlac named
.154.101.23#53
And what other errors were logged by named when it started?
> After some googling and finding
> http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
> and even better
> http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
>
> I'v
better
http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
I've changed to dnssec-lookaside auto. Lo and behold, everything works fine.
"dnssec-lookaside auto" just imports the managed-keys statement from
[source-tree]/bind.keys. Compare that carefully with your expl
org/DNSKEY/IN': 156.154.101.23#53
After some googling and finding
http://www.mail-archive.com/bind-users@lists.isc.org/msg06660.html
and even better
http://www.mail-archive.com/bind-users@lists.isc.org/msg05689.html
I've changed to dnssec-lookaside auto. Lo and behold, everything
ou wanted to know how
to use DLV without having a managed-keys zone created at all.
In 9.7.1 and above, you can use "managed-keys" statements at the view level
as well as globally. (This was a known limitation in 9.7.0.) You can also
use "dnssec-lookaside auto" at the view
On 07/18/10 12:28, Matthew Seaman wrote:
> Think I'll just drop the external-chaos view. Some script kiddie
> working out I'm running the latest version of bind is likely to be lower
> risk and a lot less harmful than dealing with broken dnssec chains of trust.
I agree, and to take it one step fu
On Sun, Jul 18, 2010 at 3:28 PM, Matthew Seaman
wrote:
> Think I'll just drop the external-chaos view. Some script kiddie
> working out I'm running the latest version of bind is likely to be lower
> risk and a lot less harmful than dealing with broken dnssec chains of trust.
version none
On 18/07/2010 17:58:15, Evan Hunt wrote:
>> Is there a way of using dnssec-lookaside and forcing bind not to
>> maintain a managed-keys-zone for certain views?
>
> Sure, just do it the old way, without "dnssec-lookaside auto".
> Put these in the view statement
> Is there a way of using dnssec-lookaside and forcing bind not to
> maintain a managed-keys-zone for certain views?
Sure, just do it the old way, without "dnssec-lookaside auto".
Put these in the view statement:
dnssec-lookaside . trust-anchor dlv.isc.org;
"pa"; "pf"; "re"; "se"; "sr"; "tn";
"to"; "tw"; "us"; "uy"; };
allow-transfer { secondaries; };
allow-query{ trusted; };
16 matches
Mail list logo
