Hi,
On our pdns auth, we'd like to not serve ANY queries, not even over TCP.
Ideally, we'd like to return NOTIMPL.
In dnsdist, this is done with:
addAction(QTypeRule(DNSQType.ANY), RCodeAction(DNSRCode.NOTIMP))
However, we've removed our dnsdist (for port 53; still in use for DoT), as
we'v
Hi Andrea,
On 10/24/23 14:19, Andrea Biancalani via Pdns-users wrote:
local postal police required to blacklist a list of domains.
What kind of institution is that? Is this part of the Italian police?
Thanks,
Peter
___
Pdns-users mailing list
Pdns-u
Hi Atanas,
On 10/3/23 18:56, atanas argirov via Pdns-users wrote:
* testing malformed fingerprint size of (hash size +/- 2) is accepted with no
complaints from both API and pdnsutil
My question is:
* is there any validation on the SSHFP fingerprint size based on the hash type?
Apparently no
Hi Klaus,
On 4/15/23 22:09, Klaus Darilion via Pdns-users wrote:
Hence, I would consider enabling IXFR for this zone, but until now I always
tried to stay away from IXFR as there were always bugs in PDNS regarding IXFR,
and according to the documentation removing of ENTs is not supported (does
On 3/25/23 14:04, Christoph wrote:
My understanding is that ACME is about whether there is a TXT RRset with the
challenge record; if it is not there, it's irrelevant whether the outcome is
NXDOMAIN or NODATA/NOERROR.
OK, now I understand where the misunderstanding comes from. Thanks for
e
On 3/25/23 11:44, Christoph wrote:
>> However, I doubt this is a reasonable approach for your ACME
>> client.
Sounds like a simple enough solution to me, can you elaborate why
you doubt it is reasonable?
My understanding is that ACME is about whether there is a TXT RRset with the
challen
On 3/13/23 11:41, Chris Hofstaedtler | Deduktiva via Pdns-users wrote:
* Christoph [230312 19:52]:
When there is an xNAME chain, the RCODE field is set as follows:
When an xNAME chain is followed, all but the last query cycle
necessarily had no error. The RCODE in the ulti
ious Thursday until the Thursday two weeks later. This two-week interval
> jumps with one-week increments every Thursday.
Stay secure,
Peter
--
OpenPGP Fingerprint: 7963 D427 FD32 AC6F D20F D0B1 EFD6 143A 3EF2 2D2F
deSEC
https://desec.io/
Vertreten durch: Dr. Peter Thomassen, Nils Wisiol
sig
;
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
--
OpenPGP Fingerprint: 7963 D427 FD32 AC6F D20F D0B1 EFD6 143A 3EF2 2D2F
Verwir
On 06/14/2017 09:50 AM, Peter Thomassen wrote:
> Caveat: NSEC3 (and probably also NSEC) records do reveal the presence of
> the other records in the database. I think this is a bug -- I'm going to
> open an issue on github.
for reference: https://github.com/PowerDNS/pd
/help/email-openpgp.html
deSEC
Maybachufer 9
12047 Berlin
Germany
phone: +49-30-47384344
Vertreten durch: Dr. Peter Thomassen, Nils Wisiol
signature.asc
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
Hi Pieter,
On 09/09/2016 07:20 AM, Pieter Lexis wrote:
>> *.example.com. IN A 1.2.3.4
>> a.example.com. IN A 2.3.4.5
>>
>> Then, without DNSSEC enabled, asking for the A record of b.a.example.com
>> gives 1.2.3.4. However, with DNSSEC enable, the result is NXDOMAIN.
>>
>> So,
Hi Pieter,
On 09/09/2016 07:00 AM, Pieter Lexis wrote:
>> I set up a the recursor (4.0.3) with a separate zone file that I
>> declared authoritative using the auth-zones directive. The zone file
>> contains DNSSEC signatures.
>>
>> However, when querying the recursor using dig +dnssec, only the
>>
Hi,
I noticed the following inconsistency in the authoritative server, and I
would like to know if it is intended. (I was not unable to figure this
out by looking up the RFCs.)
Let's say we have
*.example.com. IN A 1.2.3.4
a.example.com. IN A 2.3.4.5
Then, without DNSSEC enabled, as
Hi all,
I would like to set up frontend nameservers in various locations which
have copies of my zone files (i.e., slaves). I would like the zones to
be pre-signed, but use NSEC3 in narrow mode at the same time.
NSEC3 narrow requires live signing of replies. However, I would like to
avoid having
Hi,
I set up a the recursor (4.0.3) with a separate zone file that I
declared authoritative using the auth-zones directive. The zone file
contains DNSSEC signatures.
However, when querying the recursor using dig +dnssec, only the
requested record types (e.g. A) are returned, but not the RRSIG rec
Hi,
I recently run pdnsutil rectify-zone, with the pdns 4.0.0~alpha2 version
that comes with Ubuntu 16.04. I am using the MySQL background, and got a
deadlock:
Error:
GSQLBackend unable to update ordername and auth for domain_id 3390:
Could not execute mysql statement: update records set ordernam
Hi Klaus,
On 09/21/2015 04:11 PM, Klaus Darilion wrote:
> With Anycast it works from the beginning, but is not always correct (BGP
> is optimized for cheapest routing, not for most efficient routing). Any
> if it is to expensive for you to build an Anycast network, just host
> your domains with so
Dear PowerDNS people,
Are there any hooks in PowerDNS to run scripts after certain API calls
have been processed? Since I could not find this in the documentation, I
assume the chances are low, but I still thought it's worth asking.
For example, after adding a zone, I would like to turn on DNSSEC
Hi Pieter,
On 05/20/2015 01:42 PM, Pieter Lexis wrote:
> On 05/20/2015 01:31 PM, Peter Thomassen wrote:
>> Yes, I saw that. However, I am using PowerDNS 3.3 on the slaves, so that
>> can't be it ...
>
> Is the zone on the slave set to pre-signed? If not, PowerDNS ig
Hi Leen,
On 05/20/2015 12:32 PM, Leen Besselink wrote:
>> # these failed:
>> dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
>> dig @ns1.desec.io +dnssec +norec desec.io A
>>
>> Here is a working example with an RRSIG for the DNSKEY query:
[...]
> As we can see, no RRSIG-record on your domain, my
Hi Leen,
Thank you for your quick reply!
On 05/20/2015 12:39 PM, Leen Besselink wrote:
> Just had a quick look at the docs. What version are you running ? Did you see
> this ?:
>
> "When using slaves that AXFR your signed zones, be sure that your slaves
> actually support serving DNSSEC. Some
Dear experts,
I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
for desec.io, and I'd like to ask for your help once more.
I have a hidden primary which does the signing in live mode (MySQL
backend), and two public nameservers ns1.desec.io and ns2.desec.io which
receive the z
Hi Pieter,
On 05/19/2015 08:04 PM, Pieter Lexis wrote:
>> # pdnssec show-zone desec.io
>
> I tested you DNSKEY record using ldns-key2ds and get exactly the same
> results for every algorithm. I would advise you to open a ticket with
> nic.io.
>
> It might also be that they simply don't accept GO
Hi,
I am running a hidden primary and two slaves which are exposed to the
public. I would like to use DNSSEC, and keep the private keys on the
hidden primary. I'm using the MySQL backend.
As far as I know, there are two (or more?) ways to set up replication:
- AXFR-based. In this case, private k
Hi,
I am trying to publish DS records for desec.io with the .io registry.
Upon entering the DS records in their web interface, I get the
following error:
> The Algorithm and data do not match in your DS record
I am surprised, because the records are from pdnssec show-zone:
# pdnssec show-zone d
Hi Ken,
On 04/29/2015 02:50 PM, k...@rice.edu wrote:
> On Wed, Apr 29, 2015 at 11:26:41AM +0300, Kiki wrote:
>> Thanks for the info. I'm stull confused about the meaning of "for questions
>> for which there is no answer", in the following paragraph:
>>
>> This means that for questions for which th
Hi,
My PowerDNS slave log file often shows lines like the following:
17 slave domains need checking, 0 queued for AXFR
Received serial number updates for 16 zones, had 1 timeouts
Domain 'example.com' is fresh (not presigned, no RRSIG check)
[there are 16 lines like the last one]
I am not sure if
28 matches
Mail list logo
