-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 2013-02-05 at 17:01 -0800, Augie Schwer wrote:
> Is there a way to exclude a domain from DNSSEC validation, like
> Unbound's "domain-insecure"?
I have not tested this, but if you use RPZ to block the DS record for
nasa.gov, that should turn it
The update code has sanity checks. You can only add DS records
where delegating NS records exist. If you remove a delegating NS
rrset any DS records there will also be removed. This check is
done after all the records have been processed.
Mark
> server 127.0.0.1
> zone example
> key key.dv.i
Is there a way to exclude a domain from DNSSEC validation, like
Unbound's "domain-insecure"?
For example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine this is a
co
On 02/05/2013 03:30 PM, Jack Tavares wrote:
Hello -
I am trying to add a DS record via nsupdate and I can't get it to succeed.
It does not generate an error, but when I dig for the DS record I get NXDOMAIN.
What I edit the zone file and add the same DS record and reload, I can query it
just f
On Tue, Feb 5, 2013 at 6:30 PM, Jack Tavares wrote:
> Hello -
>
> I am trying to add a DS record via nsupdate and I can't get it to succeed.
>
> It does not generate an error, but when I dig for the DS record I get
> NXDOMAIN.
>
> What I edit the zone file and add the same DS record and reload,
Hello -
I am trying to add a DS record via nsupdate and I can't get it to succeed.
It does not generate an error, but when I dig for the DS record I get NXDOMAIN.
What I edit the zone file and add the same DS record and reload, I can query it
just fine.
I do the following as an example:
nsupd
> From: Evan Hunt
> > IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
> > nies the ability to selective lie about DNS without the end user knowing it=
>
> Unless DNSSEC is in use, in which case the end user can figure it out,
> so RPZ doesn't bother lying.
Unless the
> IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
> nies the ability to selective lie about DNS without the end user knowing it=
Unless DNSSEC is in use, in which case the end user can figure it out,
so RPZ doesn't bother lying.
(I've wished before that there were so
> From: Shawn Bakhtiar
(about RPZ)
> IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
> nies the ability to selective lie about DNS without the end user knowing it=
> . Unfortunately (and I have the heights and greatest respect for Paul) but =
> after reading this htt
I did not know about RPZ Here is a good configuration example:
http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/
IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving companies
the ability to selective lie about DNS without
> From: Phil Mayers p.may...@imperial.ac.uk
> To: bind-users@lists.isc.org,
> Date: 05/02/2013 15:44
> Subject: Re: Selective resolution in a corporate environment
>
> On 05/02/13 15:36, funky monkey wrote:
>
> > Could you sandwich that in a forwarding chain - say have a bind
> > 9. in between your
On 05/02/13 15:36, funky monkey wrote:
Could you sandwich that in a forwarding chain - say have a bind
9. in between your normal forwarders to internet, and
does it just look fo rthe entries you've specified as either alternate
data or does not exist, but otherwise, carries on to forward to an
a
> From: Phil Mayers
> To: bind-users@lists.isc.org,
> Date: 05/02/2013 15:26
> Subject: Re: Selective resolution in a corporate environment
>
> On 05/02/13 15:16, funky monkey wrote:
>
> > But to get back to what I'm often asked for, more as a tactical
> > solution, is there any way of being abl
> From: Phil Mayers
> To: bind-users@lists.isc.org,
> Date: 05/02/2013 15:26
> Subject: Re: Selective resolution in a corporate environment
>
> On 05/02/13 15:16, funky monkey wrote:
>
> > But to get back to what I'm often asked for, more as a tactical
> > solution, is there any way of being abl
Look for my answer below.
On Tue, Feb 5, 2013 at 5:16 PM, funky monkey wrote:
> One of my responsibilities has been general DNS (across platform)
> expertise in the organisation I currently work for. Over a fair amount of
> time, one thing that's repeatedly cropped up, has been the (ideally
> sel
On 05/02/13 15:16, funky monkey wrote:
But to get back to what I'm often asked for, more as a tactical
solution, is there any way of being able to subvert specific DNS names
with alternate responses, whilst leaving the rest of the resolution to
be obtained in the normal way - I know that doesn't
One of my responsibilities has been general DNS (across platform) expertise
in the organisation I currently work for. Over a fair amount of time, one
thing that's repeatedly cropped up, has been the (ideally selective)
subversion of DNS resolution of certain internet DNS domains.
Sometimes that ha
Hi all,
I'm trying to implement DNSSEC using BIND and SoftHSM. I'm using the
pkcs11-* and dnssec-* tools to manage the keys in the HSM and sign the
zones. When I store both KSK and ZSK under single slot there is no problem
to create local key files with dnssec-keyfromlabel and sign the zone. What
18 matches
Mail list logo
