On Fri, Oct 01, 2010 at 05:39:16PM +0200, Matus UHLAR - fantomas wrote:
>
> On 01.10.10 12:39, Joerg Dorchain wrote:
> > Well, I could agree agree that "wrong" means not thought of by
> > RfC-Designers and bind implementators (yet).
>
> probably it was not thought because it's wrong.
This point
In article ,
lst_ho...@kwsoft.de wrote:
> Zitat von Alan Clegg :
>
> > On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote:
> >
> >> Sorry for being unclear. We want the SERVFAIL as it should be for
> >> invalid DNSSEC data *in all cases* eg. even if a client ask with the
> >> cdflag (checking disab
Hello
While starting up bind I get the following 2 messages
01-Oct-2010 15:13:15.304 set up managed keys zone for view external, file
'3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys'
and
01-Oct-2010 15:13:15.309 managed-keys-zone ./IN/external: loading from master
file 3c4
Zitat von Alan Clegg :
On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote:
Sorry for being unclear. We want the SERVFAIL as it should be for
invalid DNSSEC data *in all cases* eg. even if a client ask with the
cdflag (checking disable) set.
CD means "don't check", so you can't by definition.
A
I haven't seen any answers to Timothe's questions below, though I have been
keeping an eye out for them. The documentation in this area is a bit thin...
Tony.
--
f.anthony.n.finchhttp://dotat.at/
On 20 Sep 2010, at 20:28, "Timothe Litt" wrote:
> I'm trying to get named and my management to
On 10/1/2010 4:50 PM, lst_ho...@kwsoft.de wrote:
> Sorry for being unclear. We want the SERVFAIL as it should be for
> invalid DNSSEC data *in all cases* eg. even if a client ask with the
> cdflag (checking disable) set.
CD means "don't check", so you can't by definition.
AlanC
signature.asc
Zitat von Alan Clegg :
On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote:
Hello
after the root zones are now DNSSEC signed we like to use DNSSEC at our
caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
basically it is working fine. What i have not managed is to alwawys
force obey
On 10/1/2010 4:26 PM, lst_ho...@kwsoft.de wrote:
> Hello
>
> after the root zones are now DNSSEC signed we like to use DNSSEC at our
> caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
> basically it is working fine. What i have not managed is to alwawys
> force obeying DNSSEC sign
Hello
after the root zones are now DNSSEC signed we like to use DNSSEC at
our caching resolvers. I have setup Bind 9.7.0-P1-1 at the border and
basically it is working fine. What i have not managed is to alwawys
force obeying DNSSEC signed zones for resolving eg. if i use "dig
+cdflag www
YES Brilliant Thanks Rob.
I think it is working now. I have the update-policy setup as follows:
grant d...@realm wildcard * ANY;
grant d...@realm wildcard * ANY;
grant dns_serv...@realm wildcard * ANY;
deny REALM ms-self * SR
If you're trying to grant update rights to a specific machine (rather
than every machine in the realm), something like:
grant d...@realm. subdomain dnsname.;
might work better, where "d...@realm" is (eg) the Kerberos principle
corresponding to your DC and "dnsname" is the tree to which you want
NS records must point to an A record. ns1 and ns2 .nsdomain.com do
not have A records defined for them according to the zone file.
-- John
On 10/1/2010 12:14 AM, rams wrote:
Hi,
I have configured records as follows in bind. When we start the bind
9.7, bind is not starting.
But bind is star
Updating to 9.7.2-P2 seems to be working. Of course it is not working exactly
like we think it should. When we have a things set like this:
deny ms-self * SRV ;
grant ms-self * ANY;
Nothing will update. When we set it like this:
deny ms-self * SRV;
grant ms-self * ANY;
Things seem to w
> > > Yes. To explain my setup further, there is a view based on
> > > src-IPs for some clients, where recursion is turned on.
> > > The rest of the world gets non-recursive answers, e.g. with
> > > authoritative data, or refused.
> > >
> > > In case of that specfic forward zone, bind answers in t
> On Oct 1 2010, Tony Finch wrote:
>
> >On Fri, 1 Oct 2010, Magali Bernard wrote:
> >>
> >> Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view
> >> _default, file 'managed-keys.bind'
> >> Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from
> >> master f
At Fri, 1 Oct 2010 07:05:40 -0600, Nicholas F Miller wrote:
>
> It is interesting, when I try an update from a client all I get are
> denies. When I try an update using nsupdate -g from the DNS server I
> will get a REFUSED but I will also get a DNS/h...@domain kerb ticket
> from the keytab.
It m
On Oct 1 2010, Tony Finch wrote:
On Fri, 1 Oct 2010, Magali Bernard wrote:
Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view
_default, file 'managed-keys.bind'
Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from
master file managed-keys.bind failed:
On Fri, 1 Oct 2010, Magali Bernard wrote:
>
> Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view
> _default, file 'managed-keys.bind'
> Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from
> master file managed-keys.bind failed: file not found
> Oct 1 08:
Hello bind-users,
Today I jumped from BIND 9.6.2 to 9.7.2-P2
Seems to be ok, except:
Oct 1 08:30:19 stroph named[24453]: set up managed keys zone for view
_default, file 'managed-keys.bind'
Oct 1 08:30:19 stroph named[24453]: managed-keys-zone ./IN: loading from
master file managed-keys.bind
That is how I created my keytab as well.
It is interesting, when I try an update from a client all I get are denies.
When I try an update using nsupdate -g from the DNS server I will get a REFUSED
but I will also get a DNS/h...@domain kerb ticket from the keytab.
___
Thanks, I'll give it a try and see if things begin to work.
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 10:15 AM, Tony Finch wrote:
> On Thu, 30 Sep 2010, Nicholas F Miller wrote:
>
>> Does anyone actual
Yea, it seems that people got it working when the functionality came out but
subsequently I haven't seen it working for anyone in a production environment.
_
Nicholas Miller, ITS, University of Colorado at Boulder
On Sep 30, 2010, at 3:24
On Fri, Oct 01, 2010 at 11:25:31AM +0200, Kalman Feher wrote:
> > Yes. To explain my setup further, there is a view based on
> > src-IPs for some clients, where recursion is turned on.
> > The rest of the world gets non-recursive answers, e.g. with
> > authoritative data, or refused.
> >
> > In ca
On Fri, Oct 01, 2010 at 02:58:28PM +0530,
rams wrote
a message of 240 lines which said:
> Suppose we have two A records as ,
These two records have the same {name, class, type} and therefore
belong to the same RRset (Resource Record Set).
> When we update TTL value as below for one of the re
An observation in nsupdate:
Suppose we have two A records as ,
*addforixfr.bind9712.com. 3456 IN A 10.32.21.30*
*addforixfr.bind9712.com. 3456 IN A 10.32.21.20*
When we update TTL value as below for one of the records , the TTL value
changes for both the record
On 1/10/10 9:15 AM, "Joerg Dorchain" wrote:
> On Thu, Sep 30, 2010 at 07:13:11PM -0400, Kevin Darcy wrote:
>> Per-zone recursion control doesn't exist in BIND, because frankly it
>> doesn't make sense.
>
> I used to think that, too, until I came to my specific problem.
>>
>> Either a zone ty
> On Fri, Oct 01, 2010 at 09:44:42AM +0530,
> rams wrote
> a message of 300 lines which said:
>
> > But bind is started successfully when commented below ns domains
> > which are marked as RED.
On 01.10.10 08:57, Stephane Bortzmeyer wrote:
> Some people are color-blind and some do not use a W
On Thu, Sep 30, 2010 at 07:13:11PM -0400, Kevin Darcy wrote:
> Per-zone recursion control doesn't exist in BIND, because frankly it
> doesn't make sense.
I used to think that, too, until I came to my specific problem.
>
> Either a zone type is meaningless *without* recursion (type forward,
> type
On Fri, Oct 01, 2010 at 09:44:42AM +0530,
rams wrote
a message of 300 lines which said:
> But bind is started successfully when commented below ns domains
> which are marked as RED.
Some people are color-blind and some do not use a Web browser to read
email. Using colors on a technical list i
29 matches
Mail list logo
