Re: 9.16.19 repeated crashes on FreeBSD 12.2-p6

> On 13 Aug 2021, at 15:12, Randy Bush wrote: > >> Presumably you are running with `named -u` > ># grep named /etc/rc.conf >named_enable=YES >named_program=/usr/local/sbin/named >named_conf=/usr/home/dns/named.conf >named_chrootdir="" >named_chroot_autoupdate=NO >n

Re: 9.16.19 repeated crashes on FreeBSD 12.2-p6

> Presumably you are running with `named -u` # grep named /etc/rc.conf named_enable=YES named_program=/usr/local/sbin/named named_conf=/usr/home/dns/named.conf named_chrootdir="" named_chroot_autoupdate=NO named_uid=bind named_gid=bind named_wait=YES named_a

Re: 9.16.19 repeated crashes on FreeBSD 12.2-p6

> On 13 Aug 2021, at 10:03, Randy Bush wrote: > > FreeBSD 12.2-RELEASE-p6 GENERIC on amd64 > bind 9.16.19 from binary ports > > ok, i was quietly waiting for a fix to magically appear and is hasn't. > > i am getting 10-20 crashes a day on each of two servers. it is not > leaving disk flowers;

Re: Switching key types for authorizing updates

You could also switch to using SIG(0) instead of TSIG. The the client can just update the KEY RRset which is stored in the zone. > On 13 Aug 2021, at 03:49, John Thurston wrote: > > On 8/12/2021 5:00 AM, Tony Finch wrote: >> i.e. using the "subdomain" rule type instead of "selfsub", so the >> d

9.16.19 repeated crashes on FreeBSD 12.2-p6

FreeBSD 12.2-RELEASE-p6 GENERIC on amd64 bind 9.16.19 from binary ports ok, i was quietly waiting for a fix to magically appear and is hasn't. i am getting 10-20 crashes a day on each of two servers. it is not leaving disk flowers; and i see no config option to encourage it to do so. randy ---

Re: Switching key types for authorizing updates

On 8/12/2021 5:00 AM, Tony Finch wrote: i.e. using the "subdomain" rule type instead of "selfsub", so the domain name (second foo...) doesn't need to match the keyname (first foo...) Yes, indeed. That's the ticket. Thank you very much, Tony. -- Do things because you should, not just because y

Re: Switching key types for authorizing updates

John Thurston wrote: > > But as far as I can tell, the name of the key needs to match the hostname in > the update-policy statement. I can define a new aes-256 key, but it can't have > the name "foo.bar.baz.com" while the current md5 key is defined. Nor can I > find a way to craft an update-policy

Re: Deprecating auto-dnssec and inline-signing in 9.18+

* Tim Daneliuk via bind-users: > I believe the DS record is what I have to provide my registrar as I > understand it. That depends on the top level domain. For example, .de uses DS records, while .com uses DNSKEY reords. Best to ask your registrar. -Ralph

Re: Can't get Bind to publish CDS/CDNSKEY using dnssec-policy

Thank you for pointing me to that issue !2857 , that's exactly what I hit. Now when I see the details, it makes sense. I have cleared the domain from all keys and dnssec-policy settings. Then assigned the dnssec-policy to unsigned domain and

Re: Can't get Bind to publish CDS/CDNSKEY using dnssec-policy

Hi, On 12-08-2021 09:02, Josef Vybíhal wrote: Hi, for a second day, I am scratching my head over (automatic) publishing CDS/CDNSKEY records. When I read Matthijs Mekkings KB article at https://kb.isc.org/docs/dnssec-key-and-signing-policy

Can't get Bind to publish CDS/CDNSKEY using dnssec-policy

Hi, for a second day, I am scratching my head over (automatic) publishing CDS/CDNSKEY records. When I read Matthijs Mekkings KB article at https://kb.isc.org/docs/dnssec-key-and-signing-policy, I wanted to try dnssec-policy. Up until now, I successfully was using inline-signing with auto-dnssec. I