- Original Message -
> So, can I just remove the Revoke line (is there an option in
> dnssec-settime to do this?) and have things fixed...
guess dnssec-settime -A none -R none will remove itbut guessing there's
more to fixing my current mess?
--
Who: Lawrence K. Chen, P.Eng. - W0
> So, can I just remove the Revoke line (is there an option in
> dnssec-settime to do this?)
"dnssec-settime -R none" can do that. But I gather the key has already
had its REVOKE flag set in the zone, so if you want to get things back to
the status quo, you probably want to purge and restore the
On 06/09/13 17:28, Lawrence K. Chen, P.Eng. wrote:
And, the prior ZSK was 14565
; This is a zone-signing key, keyid 14565, for ksu.edu.
; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
I've only recently joined this bind-users@ list, so please feel free to
smack me if this is considered off-topic and an unwanted discussion.
I've recently done research into DNSSEC to understand its intricacies and
possibly implement it onto my (low traffic) authoritative BIND servers for
a number
- Original Message -
> Lawrence K. Chen, P.Eng. wrote:
> >
> > And, the prior ZSK was 14565
> >
> > ; This is a zone-signing key, keyid 14565, for ksu.edu.
> > ; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
> > ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
> > ; Activate: 20
- Original Message -
> On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt < e...@isc.org > wrote:
> > The revoke bit has no defined meaning for a ZSK.
>
> While it's true the revoke bit really has no use for a true ZSK
> (i.e., a key where there's another key, a KSK, that is used to
> authentica
On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt wrote:
> The revoke bit has no defined meaning for a ZSK.
While it's true the revoke bit really has no use for a true ZSK (i.e., a
key where there's another key, a KSK, that is used to authenticate it), RFC
5011 doesn't distinguish based on either sign
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 2013-09-06 at 13:03 -0400, David White wrote:
> It seems like comparatively few registrars actually support DNSSEC
> and/or DS records. Mine certainly does not.
I like gkg.net - supports DS records and ipv6 glue, with an API to upoad
your new
> The current ZSK is 44538
>
> ; This is a zone-signing key, keyid 44538, for ksu.edu.
[...]
> ; Revoke: 2013120209 (Mon Dec 2 03:00:00 2013)
The revoke bit has no defined meaning for a ZSK. It's used for updating
trust anchors via RFC 5011. The code allows you to set it (just as it
allows y
On 06/09/13 17:39, Tony Finch wrote:
It is the same key as 14565 but the addition of the revoke bit has changed
the tag.
Oops yes, not crazy flags - revoke bit.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
Lawrence K. Chen, P.Eng. wrote:
>
> And, the prior ZSK was 14565
>
> ; This is a zone-signing key, keyid 14565, for ksu.edu.
> ; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
> ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Rev
Getting resports of people with certain ISPs (like comcast) can't resolve my
domains now.
Did a dnsvis on my domain and the error is:
RRSIG ksu.edu/A by ksu.edu/DNSKEY alg 8, key 14693:The RRSIG was made by a
revoked key.
Which makes no sense, because I have no key with that id in my key repos
On 09/06/2013 08:27 AM, Marco Davids (SIDN) wrote:
dig ANY example.org @..
ANY is a tricky record to send to a recursive server. Some DNS servers
(e.g. bind) just return anything in-cache. Others (e.g. unbound) do
things differently.
In short: ANY is a debugging tool and can't be relie
AFAIK dig any will return whatever might be in the cache at the
time of the question.
On 06/09/13 9:27, Marco Davids (SIDN) wrote:
> dig ANY example.org @..
>
> Google Public DNS:
> --
> returns DS: no
>
> BIND 9.9.3-P2:
> --
> returns DS: yes
>
> Unbound 1.4.
dig ANY example.org @..
Google Public DNS:
--
returns DS: no
BIND 9.9.3-P2:
--
returns DS: yes
Unbound 1.4.20:
---
returns DS: no
Personally I don't care much, but perhaps someone on this list has a
strong opinion about these differences that I should
15 matches
Mail list logo
