> While writing this, a compromise came to me. :) I can run forward
> zones as children of a single TLD, and use 168.192.in-addr.arpa. as
> parent for all my reverse zones. :)
If you're setting up your own DNS root server, you could sign that root
zone, have your clients enter that island of tru
On 04/27/2011 04:40 AM, /dev/rob0 wrote:
With one KSK and one ZSK per zone, we're looking at *12* keys to go
in the connected sites' trusted-keys. Errr, no, I guess I only need
the KSKs, but still, that's 6. I'd prefer that it be fewer than that.
One sounds simpler, in fact.
But the trusted-ke
You can safely take the spaces out of the key string. It's base64, so
whitespace shouldn't be important, but apparently dhcpd cares.
#!/bin/sh
filebase=$(/usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname)
awk '/^Key: /{print $2}' $filebase.private | sed 's/ //g'
Chris Buxton
BlueC
On 04/27/11 07:52, Martin McCormick wrote:
> I changed our tsig key and broke the world. Actually, the DNS's
> are happy. DHCP appears to be happy, but I am generating bad
> keys.
>
> I wrote a script as follows:
>
> #! /bin/sh
> /usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname
>
On 04/27/11 05:40, /dev/rob0 wrote:
> On Tue, Apr 26, 2011 at 10:15:18AM +0100, Phil Mayers wrote:
>> On 04/26/2011 02:13 AM, /dev/rob0 wrote:
>>> Is there any
>>> reason why I can't use the parent zone's KSK for the dynamic
>>> zone? Better yet, is there a reason why I shouldn't?
>>
>> Better yet,
I changed our tsig key and broke the world. Actually, the DNS's
are happy. DHCP appears to be happy, but I am generating bad
keys.
I wrote a script as follows:
#! /bin/sh
/usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname
It produced a beautiful-looking key that bind was happy with
On Tue, Apr 26, 2011 at 10:15:18AM +0100, Phil Mayers wrote:
> On 04/26/2011 02:13 AM, /dev/rob0 wrote:
> > Is there any
> >reason why I can't use the parent zone's KSK for the dynamic
> >zone? Better yet, is there a reason why I shouldn't?
>
> Better yet, why *would* you? Keys aren't exactly expe
In message , Chris Tho
mpson writes:
> On Apr 26 2011, Eivind Olsen wrote:
>
> >Chris Buxton wrote:
> >
> >> Create RFC 1918 reverse zones for whatever parts of this address space
> >> you're using.
> >> Newer versions of BIND will do this automatically for you -- the zones
> >> are created witho
On Apr 26 2011, Eivind Olsen wrote:
Chris Buxton wrote:
Create RFC 1918 reverse zones for whatever parts of this address space
you're using.
Newer versions of BIND will do this automatically for you -- the zones
are created without content. What version of BIND are you using?
Hm, anyone know
Babu - if that's the case, and if the DHCP servers are only configured to
use your BIND servers for DNS resolution, then perhaps its an issue with
Windows DHCP and not BIND (unless you have configured BIND to forward
un-auth RFC1918 to AS112 servers).
Chris.
> -- Forwarded message --
Chris Buxton wrote:
> Create RFC 1918 reverse zones for whatever parts of this address space
> you're using.
> Newer versions of BIND will do this automatically for you -- the zones
> are created without content. What version of BIND are you using?
Hm, anyone know which versions? The BIND 9.8 ARM
Dear Chris,
Actually this query is being sent by my DHCP server running in windows
operating system.
I have configured forwarders in DHCP towards my gateway DNS servers(running in
Redhat BIND).
--- On Tue, 26/4/11, Chris Buxton wrote:
From: Chris Buxton
Subject: Re: continous DNS que
Create RFC 1918 reverse zones for whatever parts of this address space
you're using.
Newer versions of BIND will do this automatically for you -- the zones
are created without content. What version of BIND are you using?
Chris Buxton
BlueCat Networks
On 4/26/11, babu dheen wrote:
> Dear Chris,
Dear Chris,
Thanks for your quick response. But my concern is; why this query is actually
started going to AS112 servers.
Is it because my DHCP servers do not maintain PTR record zone for all internal
IP address?
I need to have a solution to stop this query at host level instead of adding
Thanks to Mark, Phil and the offlist reply I got, it all makes more
sense now, and I have it working perfectly! :) Your time and efforts
are greatly appreciated.
I don't know how many times I looked at that Bv9ARM.ch10.html page
without seeing the dnssec-dsfromkey link! That would have answered
They're not root servers.
Add this to your named.conf, alongside your 'forwarders' statement:
forward only;
Chris Buxton
BlueCat Networks
On 4/26/11, babu dheen wrote:
> Hi,
>
> I understand that my system contacts AS112 server but not sure why my system
> is contacting AS112 ROOT servers
>
>
On 04/26/2011 02:13 AM, /dev/rob0 wrote:
I feel like I am understanding the "how" of this DNSSEC stuff, but
I'm not so sure about some of the "whys". This post is asking a bit
of both.
I've got a static zone, nodns4.us., which is now signed. It's the
parent zone to dynamic.nodns4.us., a dynamic
In message <20110426011334.GE2976@cardinal>, /dev/rob0 writes:
> I feel like I am understanding the "how" of this DNSSEC stuff, but
> I'm not so sure about some of the "whys". This post is asking a bit
> of both.
>
> I've got a static zone, nodns4.us., which is now signed. It's the
> parent zo
Hi,
I understand that my system contacts AS112 server but not sure why my system is
contacting AS112 ROOT servers
Can you tell me what i need to do at server level to stop this. I read the RFC
but no where it clearly mentioned why this is happening.
I have already configured forwarders in
19 matches
Mail list logo
