Hallo,
I try to setup (=prepare) the our DNS servers for the DNSSEC era.
I have a Centos 5.x with Bind 9.3.6-4. I have one problem and 2 questions.
The problem is that the specific version seems to lack support for DNSSEC
validation! named-checkconf returns the following error:
/etc/named.conf:212
I missed the trusted key .. Thanks
Here is the other output
# dig +cd +dnssec dlv.isc.org dnskey @localhost
; <<>> DiG 9.6.2-P1-RedHat-9.6.2-3.P1.fc12 <<>> +cd +dnssec
dlv.isc.orgdnskey @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
Ok. I will open a bug.
Thanks
-dani
On Thu, May 20, 2010 at 8:10 PM, Mark Andrews wrote:
>
> In message ,
> itse
> rvices88 writes:
> > Hi,
> >
> > I am having a dnssec problem while signing zone:
> >
> > # dnssec-signzone -N INCREMENT mydomain.org
> > Verifying the zone using the following alg
On May 20, 2010, at 8:34 PM, Hoover Chan wrote:
> Heh, thanks for the humor.
>
> I'm used to having control over both Web server and DNS server and the way I
> normally handle these things is via an Apache virtual host configuration.
> However, I'm under pressure to lose control of DNS and hand
In message , itse
rvices88 writes:
> Hi,
>
> I am having a dnssec problem while signing zone:
>
> # dnssec-signzone -N INCREMENT mydomain.org
> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC
> The zone is not fully signed for the following algo
In message <20100520192619.ga27...@laperouse.bortzmeyer.org>, Stephane Bortzmey
er writes:
> On Thu, May 20, 2010 at 12:10:53PM -0700,
> itservices88 wrote
> a message of 92 lines which said:
>
> > # dnssec-signzone -N INCREMENT mydomain.org
> > Verifying the zone using the following algorith
Hi Bind Users,
Good day. I wish to know what is the industry standard when dealing with the
"TOTAL QPS" and how do we calculate this with BIND?
My understanding of "QPS" is the queries that a DNS server has received
regardless if it was dealt with a successful response, nxdomain or timed-out
In message , itse
rvices88 writes:
> Hi,
>
> Whenever i enable:
>
> dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";
>
> in the named.conf, restart bind, the dns resolution stops. One the same FC12
> machine, dig using an outside dns server has no issues resolving with
> +dnssec option. I am us
Hi,
Whenever i enable:
dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";
in the named.conf, restart bind, the dns resolution stops. One the same FC12
machine, dig using an outside dns server has no issues resolving with
+dnssec option. I am using bind 9.6.2 that came with FC12.
Any thoughts ?
-
Hoover Chan wrote:
I'm new to this list but have been having trouble looking for information on
this topic.
A pointer please to information on how to use BIND to "translate" a domain name to
a target URL. For example, www.domain ->
http://www.someother.domain/folder1/folder2/index.html.
Than
Heh, thanks for the humor.
I'm used to having control over both Web server and DNS server and the way I
normally handle these things is via an Apache virtual host configuration.
However, I'm under pressure to lose control of DNS and hand it over to a
company like Go Daddy or Network Solutions
On Thu, May 20, 2010 at 5:18 PM, Hoover Chan wrote:
> I'm new to this list but have been having trouble looking for information on
> this topic.
>
> A pointer please to information on how to use BIND to "translate" a domain
> name to a target URL. For example, www.domain ->
> http://www.someoth
I'm new to this list but have been having trouble looking for information on
this topic.
A pointer please to information on how to use BIND to "translate" a domain name
to a target URL. For example, www.domain ->
http://www.someother.domain/folder1/folder2/index.html.
Thanks in advance.
-
#named-checkconf -t /var/named/chroot /etc/named.conf
#
# named-checkzone -t /var/named/chroot mydomain.org /etc/named-data/
mydomain.org
zone mydomain.org/IN: loaded serial 2010141144
OK
No error in both of the commands.
I am missing something else may be.
Thanks
On Thu, May 20, 2010 at 1:04
On Thu, May 20, 2010 at 12:51 PM, Hauke Lampe
> wrote:
> On 05/20/2010 09:10 PM, itservices88 wrote:
>
> > Verifying the zone using the following algorithms: RSASHA1.
> > Missing RSASHA1 signature for . NSEC
>
> You seem to have a record for "." somewhere in your zone file.
>
In named.conf, i ha
No local script. I am using snssec-signzone that cam with the installation:
# dnssec-signzone --help
Version: 9.6.2-P1-RedHat-9.6.2-3.P1
On Thu, May 20, 2010 at 12:26 PM, Stephane Bortzmeyer wrote:
> On Thu, May 20, 2010 at 12:10:53PM -0700,
> itservices88 wrote
> a message of 92 lines which
On 5/20/2010 12:51 PM, Hauke Lampe wrote:
Did you load the unsigned zone into BIND before? It should have logged a
warning about that record.
named-checkzone would be useful here as well.
hth,
Doug
--
... and that's just a little bit of history repeating.
--
On 05/20/2010 09:10 PM, itservices88 wrote:
> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC
You seem to have a record for "." somewhere in your zone file.
Did you load the unsigned zone into BIND before? It should have logged a
warning about t
On Thu, May 20, 2010 at 12:10:53PM -0700,
itservices88 wrote
a message of 92 lines which said:
> # dnssec-signzone -N INCREMENT mydomain.org
> Verifying the zone using the following algorithms: RSASHA1.
> Missing RSASHA1 signature for . NSEC
> The zone is not fully signed for the following alg
Hi,
I am having a dnssec problem while signing zone:
# dnssec-signzone -N INCREMENT mydomain.org
Verifying the zone using the following algorithms: RSASHA1.
Missing RSASHA1 signature for . NSEC
The zone is not fully signed for the following algorithms: RSASHA1.
dnssec-signzone: fatal: DNSSEC comp
If your primary master goes down, and you want to ensure that all of
your slaves get the *latest*available*version* of the zone, and serves
it until the master comes back up, then you would "cross-connect" all of
your slaves so that eventually they'll all sync up to that version.
*HOWEVER*, be
I have a question about the bug that this patch fixes.
--- 9.6.2-P2 released ---
2876. [bug] Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131]
Does this bug only occur if dnssec is enabled?
or only if dnssec valida
22 matches
Mail list logo
