> From: Mark Andrews
> Sent: Monday, July 14, 2014 6:33 PM
>
> For a DS to *work* it needs to point to a key that signs the DNSKEY
> RRset. Validators check that the signature exists. Activating the
> key will add 1 signature to the zone.
Let me preface this reply by indicating that I am far fro
In message <20140715004923.gg31...@bender.unx.csupomona.edu>, "Paul B. Henson"
writes:
> On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote:
>
> > The new key does not sign the DNSKEY RRset.
> [...]
> > Make sure the DNSKEY RRset is signed with the new key then try to
> > add the DS re
On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote:
> The new key does not sign the DNSKEY RRset.
[...]
> Make sure the DNSKEY RRset is signed with the new key then try to
> add the DS record to the parent.
It's intentionally not being used for signing; it's published but not yet
activa
The new key does not sign the DNSKEY RRset.
% dig csupomona.edu dnskey +rrcomm +dnssec | grep 58561
csupomona.edu. 43072 IN DNSKEY 257 3 8
AwEAAdSfxR9Es3kRy4G0elMdTaxzQ8zWw9urWU1Tq4kc21Ca0wsFZQCB
1jU5XNXCiITwEiRboxO5nOgBHGqI0+Et39NUr7Oi252bsKowQbibnd3Y
6oeUfZvKyqgvNlSJqpLdC5Ss
> From: Stephane Bortzmeyer
> Sent: Monday, July 14, 2014 1:43 PM
>
> > So, I suspect a bug in EDUCAUSE.
>
> Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU
> issue.
Cool, thanks for double checking me and a potential problem to look at.
Makes me feel a little bit better tha
On Mon, Jul 14, 2014 at 10:40:19PM +0200,
Stephane Bortzmeyer wrote
a message of 19 lines which said:
> So, I suspect a bug in EDUCAUSE.
Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU
issue.
___
Please visit https://lists.isc.
On Mon, Jul 14, 2014 at 01:24:38PM -0700,
Paul B. Henson wrote
a message of 135 lines which said:
> And finally, the new key I just created, for which I'm trying to add DS
> records. The dsset file created by dnssec-signzone says these records should
> be:
I find the same values as you, using
We roll our KSK's for our edu domain annually in July, after which I need to
manually go to the EDUCAUSE management site to delete the old DS records for
the key no longer in use, and add the new DS records for the key just
published and scheduled to be used the following year.
This year, after de
On 7/14/14, 2:05 AM, Steffen Sledz wrote:
> On 12.07.2014 01:56, Alan Clegg wrote:
>> On 7/11/14, 7:19 PM, Mark Andrews wrote:
>
>>> For the record it isn't the zone. It's enabling IPv6 locally without
>>> having a working upstream link. You would get that message without the
>>> zone being co
Thank you Tony and Joseph,
I think you have explained this well, and most importantly, exposed the
underlying issues.
Best regards,
Gary
On 7/14/2014 06:27, Tony Finch wrote:
Gary Wallis wrote:
What are the drawbacks, if any, of running only master name servers for the
set of authoritativ
Gary Wallis wrote:
>
> What are the drawbacks, if any, of running only master name servers for the
> set of authoritative NSs?
That depends entirely on how you are replicating the zone data.
The DNS's own replication (AXFR, IXFR, NOTIFY, TSIG) is pretty hard to
beat: it is fast, secure, and cope
11 matches
Mail list logo
