SMIMEA TLS

2015-02-16 Thread John Allen
Does anybody now if there are any developments in this standard and its implementation. Particular reference to email. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Casey Deccio
On Mon, Feb 16, 2015 at 11:34 AM, Stephane Bortzmeyer wrote: > With Unbound, I get a SERVFAIL: > > ... > But BIND accepts it (and so does Google Public DNS): > > ... DNSviz, like Unbound, says the domain is broken: > > "Broken" is a loaded te

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Mark Andrews
In message <20150216212821.ga27...@nic.fr>, Stephane Bortzmeyer writes: > On Tue, Feb 17, 2015 at 07:34:37AM +1100, > Mark Andrews wrote > a message of 171 lines which said: > > > The validator is *not* supposed to *check* if the zone has been > > signed with all the alogorithms in the DS RRs

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Stephane Bortzmeyer
On Tue, Feb 17, 2015 at 07:34:37AM +1100, Mark Andrews wrote a message of 171 lines which said: > The validator is *not* supposed to *check* if the zone has been > signed with all the alogorithms in the DS RRset. It is supposed to > keep trying all RRSIG/DS/DNSKEY combinations until it succee

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Mark Andrews
In message <20150216163453.ga...@nic.fr>, Stephane Bortzmeyer writes: > [The domain has recently changed its configuration so do not test it.] > > With Unbound, I get a SERVFAIL: > > % dig DNSKEY cepn.asso.fr > > ; <<>> DiG 9.9.5-8-Debian <<>> DNSKEY cepn.asso.fr > ;; global options: +cmd > ;;

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Mukund Sivaraman
On Mon, Feb 16, 2015 at 05:34:53PM +0100, Stephane Bortzmeyer wrote: > ;; ANSWER SECTION: > cepn.asso.fr. 171998 IN DS 36778 5 2 ( > D21FC827CF4621DF88D06A8F6EA5F4B4DE72A362AB2E > 03D440C315A9D8FE1407 ) > cepn.asso.fr. 1719

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Mukund Sivaraman
On Mon, Feb 16, 2015 at 11:26:00PM +0530, Mukund Sivaraman wrote: > On Mon, Feb 16, 2015 at 11:19:51PM +0530, Mukund Sivaraman wrote: > > But while RFC 4509 sec. 6 talks about this issue in the case of DS with > > SHA-2 algorithms, there is no requirement there. > > There is this nugget here: > >

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Mukund Sivaraman
On Mon, Feb 16, 2015 at 11:19:51PM +0530, Mukund Sivaraman wrote: > But while RFC 4509 sec. 6 talks about this issue in the case of DS with > SHA-2 algorithms, there is no requirement there. There is this nugget here: > Implementations MUST support the use of the SHA-256 algorithm in DS > RRs. V

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Mukund Sivaraman
On Mon, Feb 16, 2015 at 10:39:52PM +0530, Mukund Sivaraman wrote: > DNSviz also has explanation for why the green shapes are secure. (1) There is one item that bothers me: "fr. to cepn.asso.fr.: The DS RRset for the zone included algorithm 5 (RSASHA1), but no key with algorithm 5 was found signin

Re: [DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Mukund Sivaraman
Hi Stephane On Mon, Feb 16, 2015 at 05:34:53PM +0100, Stephane Bortzmeyer wrote: > DNSviz, like Unbound, says the domain is broken: > > http://dnsviz.net/d/cepn.asso.fr/VOGwhA/dnssec/ DNSviz complains about missing RRs, but shows "status:SECURE" in epn.asso.fr. with green outlines for DNSKEY, SO

[DNSSEC] BIND validates but not Unbound: who is right?

2015-02-16 Thread Stephane Bortzmeyer
[The domain has recently changed its configuration so do not test it.] With Unbound, I get a SERVFAIL: % dig DNSKEY cepn.asso.fr ; <<>> DiG 9.9.5-8-Debian <<>> DNSKEY cepn.asso.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62442 ;; flags: qr rd ra

RE: Request to provide procedure for bind upgrade

2015-02-16 Thread Lightner, Jeff
Good point. Fedora isn't really a good choice for Production systems - it is bleeding edge with short life cycle (usually new version is out 6 months later and they only support the most recent 2.) Fedora is used as a test bed for what ends up in RHEL later. RHEL has much longer life cycle b

Re: Request to provide procedure for bind upgrade

2015-02-16 Thread Chuck Anderson
Fedora Core 6 is no longer supported. It went End-Of-Life in 2007: http://en.wikipedia.org/wiki/Fedora_%28operating_system%29#Releases On Mon, Feb 16, 2015 at 10:16:37AM -0500, Sundram Bharti wrote: > Hi Team, > > My DNS current version is "BIND 9.8.4-P1" and OS is "Fedora Core > release 6 (Zod

RE: Request to provide procedure for bind upgrade

2015-02-16 Thread Novosielski, Ryan
This is a question about the operating system, not BIND. There are a number of ways. You can enable rollbacks in RPM, you can keep snaphots... you're not going to run into incompatible upgrades in BIND during a simple patching. -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*

RE: Request to provide procedure for bind upgrade

2015-02-16 Thread Lightner, Jeff
The package is “bind” not “named”. The daemon is called “named”. You can type “rpm –qf $(which named)” to determine which package installed that daemon. (Likely it was bind.) Also if you’re running the chroot’ed version you’d want the package “bind-chroot”. I’d suggest you run “rpm –qa |

Request to provide procedure for bind upgrade

2015-02-16 Thread Sundram Bharti
Hi Team, My DNS current version is "BIND 9.8.4-P1" and OS is "Fedora Core release 6 (Zod)". So could you let me know. "_yum update named_" works for upgrade to current version, if yes then what will be the fall back procedure of upgrade fails? -- BR// Sundram Bharti +919717977886