Re: Migration to inline-signing

hijs Mekking wrote: > > > On 17-05-2025 06:39, Crist Clark wrote: > > Tired of looking at the log messages warning me that inline-signing will > > be the default in 9.20. I want to convert my 9.18 to using > > inline-signing. Right now all of the zones use dnssec-polic

Re: Migration to inline-signing

On 17-05-2025 06:39, Crist Clark wrote: Tired of looking at the log messages warning me that inline-signing will be the default in 9.20. I want to convert my 9.18 to using inline-signing. Right now all of the zones use dnssec-policy and are dynamic. I tried just simply adding the "i

Re: Migration to inline-signing

Crist Clark wrote: > Tired of looking at the log messages warning me that inline-signing > will be the default in 9.20. I want to convert my 9.18 to using > inline-signing. Right now all of the zones use dnssec-policy and are > dynamic. My experience was that it wa

Migration to inline-signing

Tired of looking at the log messages warning me that inline-signing will be the default in 9.20. I want to convert my 9.18 to using inline-signing. Right now all of the zones use dnssec-policy and are dynamic. I tried just simply adding the "inlien-signing yes" line to a zone with dynam

Re: opendnssec -> inline-signing

[ off list ] > I couldn't help noticing that when you ran dnssec-dsfromkey you > referenced this directory: /usr/home/dns/Fixed nah. i have multiple copies so i can `rsync` them to refresh. i am getting closer. as mark pointed in the direction, i found that the keys produced by the extraction

Re: opendnssec -> inline-signing

On 08/03/2024 12:54, Randy Bush wrote: but WHY NOT? same key sets with opendnssec and inline-signing, we think. The most obvious possibility is that this is referring to a different directory to where you put the keys that you wanted to use: |key-directory "/usr/home/dns/dkeys

Re: opendnssec -> inline-signing

qgFAQBGN6I6qNVwiEnWeMtWhn5t8l >>> 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4 >>> OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl >>> LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD >>> ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts >>> kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0t

Re: opendnssec -> inline-signing

; liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ >> B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== ) >> >>> https://git.rg.net/randy/randy/src/master/scratch.md > > yes, we can see that, as we noted. and yes we could rekey 42 zones at > the parents; great fun. > > but WH

Re: opendnssec -> inline-signing

SJgmD > ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts > kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd > liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ > B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== ) > >> https://git.rg.net/randy/randy/src/master/scratch.md yes, we can see that, as we noted. and ye

Re: opendnssec -> inline-signing

== ) > On 8 Mar 2024, at 10:35, Randy Bush wrote: > > FreeBSD 13.2-RELEASE-p10 amd64 > bind 9.16.48 > softhsm-1.3.8 (yes, i know) > opendnssec 2.1.13 > moon in klutz > > been running opendnssec, and trying to move to bind inline-signing > > in the hope of makin

opendnssec -> inline-signing

FreeBSD 13.2-RELEASE-p10 amd64 bind 9.16.48 softhsm-1.3.8 (yes, i know) opendnssec 2.1.13 moon in klutz been running opendnssec, and trying to move to bind inline-signing in the hope of making it more readable, the sad story is at https://git.rg.net/randy/randy/src/master/scratch.md thanks for

Re: inline-signing breaks nsdiff.

Petr Špaček wrote: > Please open an issue in our Gitlab: Done: https://gitlab.isc.org/isc-projects/bind9/-/issues/4352 Björn Persson pgp3GzBYDpAWV.pgp Description: OpenPGP digital signatur -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the

Re: inline-signing breaks nsdiff.

On 01. 10. 23 21:10, Björn Persson wrote: I find that when both inline-signing and update-policy are in use, I can't detect race conditions with the method described in RFC 2136 section 5.7, which nsdiff uses. It seems that a serial number specified in a prerequisite of an update is compar

inline-signing breaks nsdiff.

I find that when both inline-signing and update-policy are in use, I can't detect race conditions with the method described in RFC 2136 section 5.7, which nsdiff uses. It seems that a serial number specified in a prerequisite of an update is compared to the unsigned version of the zone, bu

Re: DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

need or design anything other than a good ole static zone since an entry is changed like 3-4 times per year.  The newest ARM has a new section that mentions needing to setup Dynamic DNS but it also states that BIND previously used implicit inline-signing.  It is really difficult for a casual

Re: DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

or things to work. Don't need or design anything > other than a good ole static zone since an entry is changed like 3-4 times > per year. The newest ARM has a new section that mentions needing to setup > Dynamic DNS but it also states that BIND previously used implicit > inli

DNSSec Setup ARM Manual vs KB article on adding inline-signing for non-dynamic zones

ar. The newest ARM has a new section that mentions needing to setup Dynamic DNS but it also states that BIND previously used implicit inline-signing. It is really difficult for a casual observer to sort this out. No reference to what they mean by "previously". Did they break builds newe

Re: Deprecating auto-dnssec and inline-signing in 9.18+

FYI: We are going forward with deprecating 'auto-dnssec' in 9.18+. We might deprecate 'inline-signing' too in 9.18, but only if we have implemented the replacement code to configure it inside 'dnssec-policy' in time. After last year's discussion on this

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

Since the latest release dnssec-policy requires either inline-signing to be set to yes, or allow dynamic updates. I am thinking of adding inline-signing to dnssec-policy, do you think that would that be useful? Matthijs, Yes, from my point of view, that would surely be useful. I would

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

named.conf and contain them in one stanza. But some options are more difficult to be replaced than others. On 24-10-2022 18:16, PGNet Dev wrote: i've read this comment 'inline-signing' might go away and be replaced by dnssec-policy now a few times, in posts and in docs currentl

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

there are separate cases to consider. the docs https://bind9.readthedocs.io/en/latest/reference.html#dnssec-policy-block-definition-and-usage state The dnssec-policy statement requires dynamic DNS to be set up, or inline-signing to be enabled. If inline-signing is enabled

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

Retried my named.conf with BIND 9.19.7-dev (Development Release) which reports: 26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to _not_ overwrite original zone files/data on signing. I cannot confirm that (9.17.22): sry, fat thumbed copying my reply into email :-/ should have been wrapped in niceties, including "hm

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

ls -1 keys/dnssec/example.com/ (empty) ls -1 namedb/primary/example.com* namedb/primary/example.com.zone<== ORIGINAL, unsigned zone file cat etc/named.conf ... zone "example.com" IN { type master; file "namedb/primary/example.com.zone";

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to _not_ overwrite original zone files/data on signing. I cannot confirm that (9.17.22): % ls -1 example.aa named.conf % cat named.conf options { directory "."; l

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

There are two ways of DNSSEC maintenance in BIND. One is the inline-signing approach, that preserves the original zone file. The other is to apply the changes directly to the zone (and zone file) and requires the zone to allow dynamic updates. Since the latest release dnssec-policy requires

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

ated configuration options that are scattered throughout named.conf and contain them in one stanza. But some options are more difficult to be replaced than others. On 24-10-2022 18:16, PGNet Dev wrote: i've read this comment 'inline-signing' might go away and be replaced by dns

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

stanza. But some options are more difficult to be replaced than others. On 24-10-2022 18:16, PGNet Dev wrote: i've read this comment 'inline-signing' might go away and be replaced by dnssec-policy now a few times, in posts and in docs currently, WITH 'dnssec-policy'

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

be replaced than others. On 24-10-2022 18:16, PGNet Dev wrote: i've read this comment 'inline-signing' might go away and be replaced by dnssec-policy now a few times, in posts and in docs currently, WITH 'dnssec-policy' signing enabled & in-use, i&#

'inline-signing' might go away and be replaced by dnssec-policy ?

i've read this comment 'inline-signing' might go away and be replaced by dnssec-policy now a few times, in posts and in docs currently, WITH 'dnssec-policy' signing enabled & in-use, i've zone "example.com" IN { type m

Re: Deprecating auto-dnssec and inline-signing in 9.18+

* Tim Daneliuk via bind-users: > I believe the DS record is what I have to provide my registrar as I > understand it. That depends on the top level domain. For example, .de uses DS records, while .com uses DNSKEY reords. Best to ask your registrar. -Ralph

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On Wed, Aug 11, 2021 at 12:14:38PM -0500, Tim Daneliuk via bind-users wrote: > On 8/10/21 11:27 PM, raf via bind-users wrote: > > Does that help at all? > > Very much thank you. I have now discovered my DNS key and corresponding DS > record. I believe the DS record is what I have to provide

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On 8/10/21 11:27 PM, raf via bind-users wrote: > Does that help at all? Very much thank you. I have now discovered my DNS key and corresponding DS record. I believe the DS record is what I have to provide my registrar as I understand it. -- ---

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On Wed, Aug 11, 2021 at 09:40:00AM +0200, Matthijs Mekking wrote: > > Syntax question: > > In https://bind9.readthedocs.io/en/latest/dnssec-guide.html > > the double quotes are never used in the zone stanza > > where the dnssec-policy is referred to. The double > > quotes sometimes (but not alwa

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

Syntax question: In https://bind9.readthedocs.io/en/latest/dnssec-guide.html the double quotes are never used in the zone stanza where the dnssec-policy is referred to. The double quotes sometimes (but not always) appear in the dnssec-policy definition stanza. Are the double quotes optional in bo

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

Hi Tim, On 11-08-2021 04:19, Tim Daneliuk via bind-users wrote: On 8/10/21 7:32 PM, raf via bind-users wrote: To get the DS record information to convey to the registrar, after starting to use the default policy. look for the CDS record (the child version of the DS record) with dig: dig CDS

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On Tue, Aug 10, 2021 at 09:19:33PM -0500, Tim Daneliuk via bind-users wrote: > On 8/10/21 7:32 PM, raf via bind-users wrote: > > To get the DS record information to convey to the > > registrar, after starting to use the default policy. > > look for the CDS record (the child version of the DS > >

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On 8/10/21 7:32 PM, raf via bind-users wrote: > To get the DS record information to convey to the > registrar, after starting to use the default policy. > look for the CDS record (the child version of the DS > record) with dig: > > dig CDS EXAMPLE.ORG > > For the default policy, you'll only hav

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On Tue, Aug 10, 2021 at 11:24:31AM -0500, Tim Daneliuk via bind-users wrote: > On 8/10/21 10:07 AM, Matthijs Mekking wrote: > >> So just to be sure I'm doing the right thing, I've added this to my > >> options stanza: > >> > >>  dnssec-policy "default"; > >> > >> Then restarted named and now

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On Tue, Aug 10, 2021 at 08:51:04AM -0500, Tim Daneliuk via bind-users wrote: > On 8/10/21 7:51 AM, Matthijs Mekking wrote: > > Hi Klaus, > > > > On 10-08-2021 13:38, Klaus Darilion wrote: > >> Hi Matthijs! > >> > >>> We would like to encourage you to change your configurations to > >>> 'dnssec-

Re: AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+

Klaus Darilion via bind-users wrote: > > By reading this KB I do not know how the user will be informed which DS > (or DNSKEY) must be submitted to the parent zone. I know you to convert > a DNSKEY to DS, but IMO the KB is very good but missest hat point. I would expect the zone's apex CDS and CD

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On 8/10/21 10:07 AM, Matthijs Mekking wrote: >> So just to be sure I'm doing the right thing, I've added this to my >> options stanza: >> >>  dnssec-policy "default"; >> >> Then restarted named and now all the signing magic is taken care of for >> me for all zones?  (I was not previously using 

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On 10-08-2021 15:51, Tim Daneliuk via bind-users wrote: On 8/10/21 7:51 AM, Matthijs Mekking wrote: Hi Klaus, On 10-08-2021 13:38, Klaus Darilion wrote: Hi Matthijs! We would like to encourage you to change your configurations to 'dnssec-policy'. See this KB article for migration help: h

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

On 8/10/21 7:51 AM, Matthijs Mekking wrote: > Hi Klaus, > > On 10-08-2021 13:38, Klaus Darilion wrote: >> Hi Matthijs! >> >>> We would like to encourage you to change your configurations to >>> 'dnssec-policy'. See this KB article for migration help: >>> >>> https://kb.isc.org/docs/dnssec-key-and

Re: AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+

Thanks, I got some more suggestions to improve the KB article, I'll include yours to that list. On 10-08-2021 15:28, Klaus Darilion wrote: On 10-08-2021 13:38, Klaus Darilion wrote: Hi Matthijs! We would like to encourage you to change your configurations to 'dnssec-policy'. See this KB arti

AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+

> On 10-08-2021 13:38, Klaus Darilion wrote: > > Hi Matthijs! > > > >> We would like to encourage you to change your configurations to > >> 'dnssec-policy'. See this KB article for migration help: > >> > >> https://kb.isc.org/docs/dnssec-key-and-signing-policy > > > > Some comments to this KB artic

Re: AW: Deprecating auto-dnssec and inline-signing in 9.18+

Hi Klaus, On 10-08-2021 13:38, Klaus Darilion wrote: Hi Matthijs! We would like to encourage you to change your configurations to 'dnssec-policy'. See this KB article for migration help: https://kb.isc.org/docs/dnssec-key-and-signing-policy Some comments to this KB article and dnssec-polic

AW: Deprecating auto-dnssec and inline-signing in 9.18+

Hi Matthijs! > We would like to encourage you to change your configurations to > 'dnssec-policy'. See this KB article for migration help: > > https://kb.isc.org/docs/dnssec-key-and-signing-policy Some comments to this KB article and dnssec-policy: - The article should mention how to retrie

Re: Deprecating auto-dnssec and inline-signing in 9.18+

nning to deprecate the options 'auto-dnssec' and >>> 'inline-signing' in BIND 9.18. The reason for this is because >>> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone. > ... > >> Hello, >> >> As today state,

Re: Deprecating auto-dnssec and inline-signing in 9.18+

Hi Emannuel, Thanks for your response. On 10-08-2021 11:28, FUSTE Emmanuel via bind-users wrote: Le 10/08/2021 à 10:02, Matthijs Mekking a écrit : Hi users, We are planning to deprecate the options 'auto-dnssec' and 'inline-signing' in BIND 9.18. The reason for this is be

Re: Deprecating auto-dnssec and inline-signing in 9.18+

Le 10/08/2021 à 10:02, Matthijs Mekking a écrit : > Hi users, > > We are planning to deprecate the options 'auto-dnssec' and > 'inline-signing' in BIND 9.18. The reason for this is because > 'dnssec-policy' is the preferred way of maintaining your DN

Deprecating auto-dnssec and inline-signing in 9.18+

Hi users, We are planning to deprecate the options 'auto-dnssec' and 'inline-signing' in BIND 9.18. The reason for this is because 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone. Deprecating means that you can still use the options in 9.18,

Re: Inline signing fails dnsviz test - STILL [LONG]

Hello again, On Sun, 16 May 2021, I wrote: ... If you can't agree their numbers then you're some information ... Having screen troubles. The word 'missing' is missing. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-user

Re: Inline signing fails dnsviz test - STILL [LONG]

Hi there, On Sun, 16 May 2021, Dan Egli wrote: ... I'm aware of the buddyns.com servers not responding. Noting I can do about that. They CLAIM I've had over 300k requests in the last couple of weeks and have exceeded my monthly cap. I say Bull Crap ... I'd be inclined to believe them, but yo

Re: Inline signing fails dnsviz test - STILL [LONG]

than 9.16.15, which is what I'm running? >>> jupiter ~ # named -v >>> BIND 9.16.15 (Stable Release) >>> jupiter ~ # dig -v >>> DiG 9.16.15 >>> >>> >>> On 5/16/2021 12:06 AM, Mark Andrews wrote: >>>> >

Re: Inline signing fails dnsviz test - STILL [LONG]

5/10/2021 12:38 PM, Tony Finch wrote: Dan Egli  wrote: Still not working for me. The dig doesn't report anything, and I don't HAVE a keyfile since i'm using inline signing. Or does inline signing still require a key to be generated? Yes, you need to do your own key management wi

Re: Inline signing fails dnsviz test - STILL [LONG]

gt;>>> >>>>> Still not working for me. The dig doesn't report anything, and I don't >>>>> HAVE a >>>>> keyfile since i'm using inline signing. Or does inline signing still >>>>> require a >>>>> key

Re: Inline signing fails dnsviz test - STILL [LONG]

8 PM, Tony Finch wrote: >>>> Dan Egli >>>> wrote: >>>> >>>>> Still not working for me. The dig doesn't report anything, and I don't >>>>> HAVE a >>>>> keyfile since i'm using inline signing. Or

Re: Inline signing fails dnsviz test - STILL [LONG]

i via bind-users wrote: On 5/10/2021 12:38 PM, Tony Finch wrote: Dan Egli wrote: Still not working for me. The dig doesn't report anything, and I don't HAVE a keyfile since i'm using inline signing. Or does inline signing still require a key to be generated? Yes, you need to d

Re: Inline signing fails dnsviz test - STILL [LONG]

> On 16 May 2021, at 10:17, Dan Egli via bind-users > wrote: > > On 5/10/2021 12:38 PM, Tony Finch wrote: >> Dan Egli >> wrote: >> >>> Still not working for me. The dig doesn't report anything, and I don't HAVE >>> a >>> k

Re: Inline signing fails dnsviz test - STILL [LONG]

On 5/10/2021 12:38 PM, Tony Finch wrote: Dan Egli wrote: Still not working for me. The dig doesn't report anything, and I don't HAVE a keyfile since i'm using inline signing. Or does inline signing still require a key to be generated? Yes, you need to do your own key managem

Re: Inline signing fails dnsviz test.

, and I don't HAVE a keyfile since i'm using inline signing. Or does inline signing still require a key to be generated? Yes, you need to do your own key management with inline-signing using dnssec-keygen. The new dnssec-policy feature can do automatic key management for you. Tony. -- D

Re: Inline signing fails dnsviz test.

Dan Egli wrote: > > Still not working for me. The dig doesn't report anything, and I don't HAVE a > keyfile since i'm using inline signing. Or does inline signing still require a > key to be generated? Yes, you need to do your own key management with inline-signing u

Re: Inline signing fails dnsviz test.

On 5/10/2021 12:17 PM, Tony Finch wrote: Dan Egli wrote: Where do I get the DS record, since i'm using bind's inline signing? Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the KSK file) $ grep This Kcam.ac.uk.+013+32840.key ; This is a

Re: Inline signing fails dnsviz test.

Dan Egli wrote: > > Where do I get the DS record, since i'm using bind's inline signing? Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the KSK file) $ grep This Kcam.ac.uk.+013+32840.key ; This is a key-signing key, keyid

Re: Inline signing fails dnsviz test.

here do I get the DS record, since i'm using bind's inline signing? On 5/10/2021 3:29 AM, John W. Blue via bind-users wrote: Hello Dan. Does your registrar have the ability via a UI to place a DS record in the .name zone? And if so, have you done

Re: Inline signing fails dnsviz test.

-users@lists.isc.org Subject: Inline signing fails dnsviz test. I tried to setup inline signing on my DNS server, and after reading the results from DNSVIZ, i'd say I was PARTIALLY successful, but there still seems to be a lot missing. You can check the status on dnsviz yourself with the names eglifami

Re: Inline signing fails dnsviz test.

ote: > > I tried to setup inline signing on my DNS server, and after reading the > results from DNSVIZ, i'd say I was PARTIALLY successful, but there still > seems to be a lot missing. > > You can check the status on dnsviz yourself with the names eglifamily.name &g

Re: Key rollover for inline signing zones

little bit, but there’s really not much to it. You might want to have a read through https://kb.isc.org/docs/aa-00822 for some more details on the concepts involved, and https://kb.isc.org/docs/aa-00711 for more inline-signing specific steps. Stuart From: bind-users on behalf of rams Date

Key rollover for inline signing zones

Hi, Can anyone share the steps and commands for key rollover for inline signing zones in bind by manual/auto. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of

Re: Debug logging for auto-dnssec inline signing

Tony Finch wrote:- >> What "category" should one be logging in order to get details of DNSSEC >> inline signing when running Bind 9.8.11? > >I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has >been unsupported for ages. Correct - I need to p

Re: Debug logging for auto-dnssec inline signing

Matthew Richardson wrote: > What "category" should one be logging in order to get details of DNSSEC > inline signing when running Bind 9.8.11? I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has been unsupported for ages. Yes, there is not very much loggin

Debug logging for auto-dnssec inline signing

What "category" should one be logging in order to get details of DNSSEC inline signing when running Bind 9.8.11? I have an authoratitive master server with a number of domains set with:- inline-signing yes; auto-dnssec maintain; and have a suspicion that Bind has simply

Re: Is inline-signing recommended?

Hello Alessandro, On 18.10.19 19:20, Alessandro Vesely wrote: > Did a better way arrive between 2014 and 2017? What does that warning > mean? The how to in this article manually creates keys or does key rollovers. Most DNS software have automated that part, see for example section Policy Configu

Is inline-signing recommended?

Hi all, reading about the various ways to sign zones, inline-signing seems to be the simplest one. However, a 2014 Swiss howto I found has this obscure warning: Update Nov 2017: DNSSEC zone signing as described here is outdated. We strongly recommend against the method described in

Bootstrap inline signing

Is it supported to bootstrap inline signing using dnssec-signzone?   $ named-compilezone -f text -F raw -o example.raw example.com example.text   $ dnssec-signzone -S -K /etc/bind/keys -O raw -3 ABCDEF -H 19 -A -o example.com -f example.raw.signed  example.text and then load the two files

AW: FW: Bind9.11: dnssec inline signing, cds records and catalog zones

@lists.isc.org Betreff: RE: FW: Bind9.11: dnssec inline signing, cds records and catalog zones Hi Daniel Thanks for your answer. It's your "fault" that I'm doing dnssec stuff and posting here, I saw your speech at SwiNOG 😊 [...] __

RE: FW: Bind9.11: dnssec inline signing, cds records and catalog zones

Hi Daniel Thanks for your answer. It's your "fault" that I'm doing dnssec stuff and posting here, I saw your speech at SwiNOG 😊 >If your keys have appropriate timing metadata, then the CDS/CDNSKEY >records are published for your zones automatically: > >See man dnssec-keygen >... >Timing option

Re: FW: Bind9.11: dnssec inline signing, cds records and catalog zones

Hello Philippe, > Is there a direct way to set the NSEC3PARAM? No idea. > Switch, the registry for .ch and .li domains is using/testing CDS > records. Can I tell named, to create the CDS Records for me? If your keys have appropriate timing metadata, then the CDS/CDNSKEY records are published fo

RE: Bind9.11: dnssec inline signing, cds records and catalog zones

Subject: FW: Bind9.11: dnssec inline signing, cds records and catalog zones Hello bind-users The previous mail was sent from a foreign address and need the approval of a moderator. Therefor I cancelled the submission and resending this mail with the correct address. Since a few years

FW: Bind9.11: dnssec inline signing, cds records and catalog zones

ys/example.ch"; # use inline signing: inline-signing yes; # publish and activate dnssec keys: auto-dnssec maintain; }; This server is not public. It's a "hidden master" for our public servers. New zones are "deployed" in the

Re: inline-signing: SOA serial out of sync

8062201 nodes: 88 last loaded: Fri, 15 Jun 2018 15:17:08 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Fri, 22 Jun 2018 21:07:51 GMT next resign node: _25._tcp.lists4.lrau.net/NSEC next resign time: Fri, 29 Jun 2018 21:38:07 GMT dynamic: no reconfigurable via modz

Re: inline-signing: SOA serial out of sync

Hi, * Axel Rau : Occasionally it happens after rndc reload that the serial in the zone file is bigger than that in served SOA. In this case, named begins serving stale data. Probability for this to happen increases with size of the journal file. I used to see something similar (although views

Re: inline-signing: SOA serial out of sync

y has a clue on this. To summarise: Occasionally it happens after rndc reload that the serial in the zone file is bigger than that in served SOA. In this case, named begins serving stale data. Probability for this to happen increases with size of the journal file. I’m using auto-dnssec maintain;

Re: inline-signing: SOA serial out of sync

Am 14.06.2018 um 17:14 schrieb Matthew Pounsett :On 14 June 2018 at 10:16, Axel Rau wrote:Am 14.06.2018 um 16:12 schrieb Alan Clegg :Additionally, I read this as "the records changed are in an includedfile" -- is the serial number in the "inc

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 10:16, Axel Rau wrote: > > Am 14.06.2018 um 16:12 schrieb Alan Clegg : > > Additionally, I read this as "the records changed are in an included > file" -- is the serial number in the "including" zone being incremented? > > Yes. > > I think at this point you're going to need to

Re: inline-signing: SOA serial out of sync

> Am 14.06.2018 um 15:44 schrieb Matthew Pounsett : > > This now sounds very different from the original report. Are you saying that > the zone started with two TLSA records, you changed it to have only one, > reloaded the zone, but then none were present? Yes. > > That's a very different pro

Re: inline-signing: SOA serial out of sync

> Am 14.06.2018 um 16:12 schrieb Alan Clegg : > > Additionally, I read this as "the records changed are in an included > file" -- is the serial number in the "including" zone being incremented? Yes. Axel --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius signature.asc Description: Message si

Re: inline-signing: SOA serial out of sync

On 6/14/18 9:44 AM, Matthew Pounsett wrote: > It just happened again. An included zone file has been changed from > 2 TLSA RRs to one: [...] > This now sounds very different from the original report.  Are you saying > that the zone started with two TLSA records, you changed it to have on

Re: inline-signing: SOA serial out of sync

On 14 June 2018 at 06:27, Axel Rau wrote: > > Am 07.06.2018 um 13:36 schrieb Axel Rau : > > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > > It just happened again. An included zone file has been changed from 2 TLSA > RRs to one: > -

Re: inline-signing: SOA serial out of sync

2018 07:08:59 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Thu, 14 Jun 2018 10:05:11 GMT next resign node: email1._domainkey.nussberg.de/TXT next resign time: Sun, 17 Jun 2018 19:29:37 GMT dynamic: no reconfigurable via modzone: no - - - What else can I collect t

Re: inline-signing: SOA serial out of sync

gned/lrau.net/acme_challenges.inc serial: 2018060805 signed serial: 2018060805 nodes: 88 last loaded: Thu, 07 Jun 2018 10:37:34 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Sat, 09 Jun 2018 13:08:21 GMT next resign node: gw2.m6d2.lrau.net/NSEC next resign time: Fri

Re: inline-signing: SOA serial out of sync

Hi Tony, sorry for the late replay. > Am 07.06.2018 um 14:20 schrieb Tony Finch : > > Axel Rau wrote: >> >> occasionally named 9.11.3 fails to increment SOA serial like here: >> >> file: 2018060605 dns: 2018060604 > > With inline signing the

Re: inline-signing: SOA serial out of sync

On 7 June 2018 at 07:36, Axel Rau wrote: > Hi all, > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 > > zone file was edited by script and a rndc reload given. > [...] > Manual fixing requires another cycle with zone file editing

Re: inline-signing: SOA serial out of sync

Axel Rau wrote: > > occasionally named 9.11.3 fails to increment SOA serial like here: > > file: 2018060605 dns: 2018060604 With inline signing the signed and unsigned zones have separate serial numbers, so this is normal. If I understand inline-signing correctly, when you onl

inline-signing: SOA serial out of sync

notify to … Config detail: key-directory "master/signed/lrau.net/"; auto-dnssec maintain; inline-signing yes; dnssec-secure-to-insecure no; Manual fixing requires another cycle with zone file editing: ——-——- [hermes:master/signed/lrau.net] root# service named stop Stop

Re: BIND, inline signing, include files

* David Dowdle : Did the serial number get incremented? Yes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bin

Re: BIND, inline signing, include files

ntain" and "inline-signing yes" - external zones use $INCLUDE directives (for e.g. SPF and so on) - BIND 9.10 (9.10.3.dfsg.P4-12.3+deb9u3) on Debian - change a RR in an included file and relading bind will not show the changes (and no, that's not a caching issue) The problem

BIND, inline signing, include files

Hello world, I was seeing a strange problem where sometimes, changes to a file included in a zone are not applied. Configuration is: - internal and external view - external zones with "auto-dnssec maintain" and "inline-signing yes" - external zones use $INCLUDE directives

Re: inline-signing a zone that exists in two views

On Fri, May 19, 2017 at 8:56 AM, Matus UHLAR - fantomas wrote: > Gordon Messmer wrote: >>> > Is it considered best-practice (or just normal) for authoritative >>> > servers to just not use the local server for resolution? >>> >> > On Wed, May 10, 2017 at 5:56 AM, Tony Finch wrote: >> >>> Mine d

  1   2   3   >