> My lesson is - besides just working out the configuration - testing
> RFC5011 takes more patience than just about any other feature of
> DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have.
Yup. I learned that as well.
As a side note: can you imagine my surprise when, after wai
> By default it dumps its output to a file; you can use `rndc secroots -`
> to get output on stdout.
Using "-" to get it to dump the secroots output to stdout is a new
feature added for 9.11. That hasn't been published yet, but if you build
from the source tree at source.isc.org (like Tony does),
On 4/21/15, 10:15, "Warren Kumari" wrote:
>
>From the ARM:
Sigh, RTFM...(My, BIND's gotten a lot more complicated/feature-rich since
I last read the docs.)
Hey, it's there.
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https
On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis wrote:
> On 4/21/15, 9:45, "Tony Finch" wrote:
>>rndc secroots
>>
>>You can also look in the .mkeys file.
>
> I tried secroots with my set up, I got nothing despite the mkeys file.
> (Kind of asking - does that work?):
>
> (I had my rndc port bumped o
Edward Lewis wrote:
>
> I tried secroots with my set up, I got nothing despite the mkeys file.
> (Kind of asking - does that work?):
By default it dumps its output to a file; you can use `rndc secroots -`
to get output on stdout.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Hebrides, Bailey:
On 4/21/15, 9:45, "Tony Finch" wrote:
>rndc secroots
>
>You can also look in the .mkeys file.
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
(I had my rndc port bumped out of sudo-land, so it's overridden:)
$ rndc -p 1953 -c rndc.conf
Edward Lewis wrote:
>
> I have a suggestion - is there a way to query a BIND server for it's trust
> anchor key set?
rndc secroots
(though this only provides the key tags not the public key data)
> I say perhaps unnecessary because the information may be available on
> disk (which an administra
Evan/et.al.,
I've updated to 9.10.2, adjusted the timers, etc., and have managed to
follow the keyroll.systems test over night (a handful of key changes) plus
still get the desired "AD" bit.
With the timing in mind, I looked at my unbound (I realize this is BIND
users ;)) which wasn't keeping up
8 matches
Mail list logo
