Hi Mark,
I think I found the problem. Seems Webmins code for handling the signing
was't dealing with NSEC3PARAM records properly. Essentially when merging
the signed records back in to the original host file it was only putting
NSEC, NSEC3 and RRSIG. It wasnt handling NSEC3PARAM at all. The zones
Please ignore the * in the copy pasted records. It seems the list converts
color text to be *TEXT* hehe
On 31 March 2017 at 00:11, J T wrote:
> Hi Mark,
>
> Thank you for responding. What do you mean by zone apex?
>
> If we assume one of the domains that fails to be seen as signed is "
> example
Hi Mark,
Thank you for responding. What do you mean by zone apex?
If we assume one of the domains that fails to be seen as signed is "
example.co.uk" then would the apex be the domain name with no prefixes ?
I've changed the domain name but this is part of what I have in my signed
zone file for
In message
, J T writ
es:
> Hi,
>
> I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ).
>
> I used Webmin to do the heavy lifting of signing/resigning etc.
>
> Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on
> restart/zone application and that fact is reported in the
Hi All,
I have another question related to bind-dyndb-ldap. Maybe someone can
give me some hint(s).
bind-dyndb-ldap seems now to be working, only before I used several
ACL's in named.conf. Also I have some master and server definitions
and some keys for the zone transfer and the comunication with
Hi,
I have 5 signed zones ( 2 x .email, 2 x .com and 1 x .co.uk ).
I used Webmin to do the heavy lifting of signing/resigning etc.
Only 2 of the 5 zones are recognised as (DNSSEC Signed) by BIND on
restart/zone application and that fact is reported in the system logs.
I’m trying to work out why
On 3/30/17 6:02 AM, Mark Elkins wrote:
> Stopping right here, Recursive lookup and Authoritative services are
> completely different services - and require different servers
> (preferably, though you could run multiple incidents of nameservers on a
> single server - but that can get ugly).
Actuall
On 30/03/2017 06:35, i.chu...@volga.ttk.ru wrote:
> Greetings to everyone!
>
> I'm an engineer at local ISP and we have to provide 2 DNS servers running
> BIND for our clients. We have logs full of various BIND errors but are
> unable to gain full understanding of the problem. The main problem
i.chu...@volga.ttk.ru wrote:
> The machines have the IPv4 addresses: 217.23.80.4 (BIND version 9.9.4) and
> 213.80.236.18 (BIND version 9.9.5-r3)
Your problem is that you need to upgrade BIND to more recent versions that
are not vulnerable to packet-of-death attacks.
Tony.
--
f.anthony.n.finch
9 matches
Mail list logo
