Re: dnssec-policy syntax error in options but not in view

[Matthijs Mekking]

What Mark said.

So that would become:

dnssec-policy "mydefault" {
keys {
csk key-directory lifetime unlimited algorithm ecdsa256;
};
};

options {
dnssec-policy "mydefault";
};


On 8/4/23 01:32, Mark Andrews wrote:
You can’t define a policy there. You can tell named to use the policy. 
Move the definition outside of options.


--
Mark Andrews


On 4 Aug 2023, at 08:26, E R  wrote:


My understanding from the ARM is that the dnssec-policy can be in the 
"options", "view" or "zone".  I have mine in "view" and when I try to 
move into "options" I get a syntax error that I cannot seem to 
understand what is wrong.  I stripped out all other statements and 
reduced the dnssec-policy to just a handful of items to KISS and I 
still do not see why why I get the error from named-checkconf.  I can 
move the block from under "options" to the "view" and it just works so 
I am not sure why named-checkconf thinks there is a missing 
semicolon?  Bind 9.16.23-RH.


# named-checkconf 1.conf
1.conf:3: missing ';' before '{'
1.conf:3: '}' expected near '{'

# cat 1.conf
options {
   dnssec-policy "mydefault" {
     keys {
         csk key-directory lifetime unlimited algorithm ecdsa256;
     };
   };
 };


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: monitoring BIND

[sami . rahal]

Hello Andrew
Thank you for your feedback I am testing some tools including netdata from the 
list suggested by the isc except that I want to know your feedback about the 
tools you use especially to monitor latency.
Regards

De : Andrew Latham 
Envoyé : jeudi 3 août 2023 16:14
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: monitoring BIND

Maybe start with https://kb.isc.org/docs/monitoring-recommendations-for-bind-9

On Thu, Aug 3, 2023 at 9:07 AM 
mailto:sami.ra...@sofrecom.com>> wrote:

Hello comunity
please what is the most recommended tool for BIND monitoring and especially 
display response time and latency thank you in advance.
Regards Sami
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: monitoring BIND

[sami . rahal]

Hello Borja
Thank you very much for this feedback, yes I confirm that monitoring the 
latency time is not always obvious, please about this solution you are 
currently using, there is a tutorial to try it? Thanks in advance.
Regards Sami

-Message d'origine-
De : Borja Marcos  
Envoyé : vendredi 4 août 2023 07:34
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: monitoring BIND



> On 3 Aug 2023, at 17:07, sami.ra...@sofrecom.com wrote:
> 
>  Hello comunity
> please what is the most recommended tool for BIND monitoring and especially 
> display response time and latency thank you in advance.

For latency, your friend is Dnstap. The implementation on Bind is superb. When 
Dnstap reports a RESOLVER_RESPONSE event it includes *both* the query timestamp 
and the received response timestamp. It doesn´t work on CLIENT_REPONSE right 
now, although it may with a small caveat (I am going to lobby a bit: issue 
3695).

Other DNS servers are not so complete so you should keep track of those 
timestamps yourself. 




Borja.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

question about DNSSEC with PKCS11

[sun guonian]

hi,

I have tried the DNSSEC sign testing according the document,
https://kb.isc.org/docs/bind-9-pkcs11
(and section 5.5 of the Bv9ARM of version 9.18.16)

I have two questions about it,

1. since I use HSM(now is softhsm) to store the DNSSEC key, does it more
insecure to convert the key(s) from HSM to .private file with
dnssec-keyfromlabel ?

2. when I configure KASP policy, I notice that bind will generate new key(s)
each time it need, but there is no new object in softhsm generated. Could
bind
of this version roll the objects in HSM/softhsm ?

Thanks in advanced.

Best Regards,
SUN Guonian

And my environment is,
bind-9.18.16
opensc-0.42
softhsm-2.6.1
openssl-1.1.1k from system
RockyLinux 8
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users