Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On 12/21/2012 7:37 PM, Alan Clegg wrote: On Dec 22, 2012, at 12:42 PM, Evan Hunt wrote: By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as a(mother) ZSK. You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells named not to use the ZSK when it signs the DNSKEY

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On Dec 22, 2012, at 12:42 PM, Evan Hunt wrote: >> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as >> a(mother) ZSK. > > You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells > named not to use the ZSK when it signs the DNSKEY RRset, but it should > still u

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On 12/21/2012 6:42 PM, Evan Hunt wrote: By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as a(mother) ZSK. You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells named not to use the ZSK when it signs the DNSKEY RRset, but it should still use the ZSK (and not th

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as > a(mother) ZSK. You're thinking of "update-check-ksk". "dnssec-dnskey-kskonly" tells named not to use the ZSK when it signs the DNSKEY RRset, but it should still use the ZSK (and not the KSK) for all the other data in the z

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On Dec 22, 2012, at 10:03 AM, Kyle Brantley wrote: > On 12/21/2012 3:56 PM, Alan Clegg wrote: >> On Dec 22, 2012, at 9:52 AM, Kyle Brantley wrote: >> >>> # named.conf >>> options { >>>[...] >>>dnssec-enable yes; >>>dnssec-validation yes; >>>dnssec-secure-to-insecure yes; >>>

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On 12/21/2012 3:56 PM, Alan Clegg wrote: On Dec 22, 2012, at 9:52 AM, Kyle Brantley wrote: # named.conf options { [...] dnssec-enable yes; dnssec-validation yes; dnssec-secure-to-insecure yes; dnssec-dnskey-kskonly yes; } By setting dnssec-dnskey-kskonly, you are telling i

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On Dec 22, 2012, at 9:56 AM, Alan Clegg wrote: > > By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as > a(mother) ZSK. Stupid autocorrect. a(nother) not anything about anyone's mother. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com _

Re: auto-dnssec maintain: KSK being used as a ZSK as well?

On Dec 22, 2012, at 9:52 AM, Kyle Brantley wrote: > # named.conf > options { >[...] >dnssec-enable yes; >dnssec-validation yes; >dnssec-secure-to-insecure yes; >dnssec-dnskey-kskonly yes; > } By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as a(mother) Z

auto-dnssec maintain: KSK being used as a ZSK as well?

I've generated a KSK as well as a ZSK and configured bind to maintain the keys. # named.conf options { [...] dnssec-enable yes; dnssec-validation yes; dnssec-secure-to-insecure yes; dnssec-dnskey-kskonly yes; } [...] zone "averageurl.com." IN { type master;

Re: Duplicate records?

On Dec 21, 2012, at 8:45 AM, Marek Kozlowski wrote: > As I can see BIND allows duplicate A: > > pikusIN A 192.168.1.1 > pikusIN A 192.168.1.2 Those aren't duplicates. They are a record set of two records. If they had the same data, we would call them duplicates. A record set is a set of

Duplicate records?

:-) As I can see BIND allows duplicate A: pikusIN A 192.168.1.1 pikusIN A 192.168.1.2 and PTR: 192.168.1.1.IN PTR pikus.somedomain.com. 192.168.1.1.IN PTR filemon.somedomain.com. and disallows duplicate CNAMEs in the same way. For A and PTR both records are returned. My question