Re: How to *require* TSIG for NOTIFY

2022-11-14 Thread Ondřej Surý
It’s `also-notify ;` and `notify explicit;` The online documentation is here: https://bind9.readthedocs.io/en/v9_16_34/reference.html Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working

Re: How to *require* TSIG for NOTIFY

2022-11-14 Thread Jesus Cea
On 15/11/22 3:30, Mark Andrews wrote: NOTIFY is a hint for the secondary to perform a SOA refresh query sooner than the SOA query triggered by REFRESH and RETRY. Those queries are rate limited. Additionally multiple notify messages often coalesce into one action as the server is waiting to s

Re: How to *require* TSIG for NOTIFY

2022-11-14 Thread Mark Andrews
> On 15 Nov 2022, at 12:41, Jesus Cea wrote: > > Hi everybody, > > I can configure my bind master to send TSIG in the NOTIFY messages, but I am > not able to configure secondaries to *ONLY* allow NOTIFY with a valid TSIG. > > In the slave zone config I have something like: > > """ > zone "X

How to *require* TSIG for NOTIFY

2022-11-14 Thread Jesus Cea
Hi everybody, I can configure my bind master to send TSIG in the NOTIFY messages, but I am not able to configure secondaries to *ONLY* allow NOTIFY with a valid TSIG. In the slave zone config I have something like: """ zone "XXX" { type slave; ... allow-notify { key "KEY_TSIG"; }; mast

Re: CH/TXT/VERSION.SERVER queries

2022-11-14 Thread Ondřej Surý
Hi Anand, correct me if I am wrong, but the VERSION.SERVER doesn't seem to be anywhere documented[1], and you are the first one to request it[2]. 1. RFC 4892 only talks about ID.SERVER 2. Please create a GitLab issue for tracking Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours a

CH/TXT/VERSION.SERVER queries

2022-11-14 Thread Anand Buddhdev
Hi folks (especially BIND developers), Apologies if this has been discussed and answered before. I just noticed that BIND doesn't respond to CH/TXT/VERSION.SERVER queries. It only responds to ID.SERVER. Other name servers, such as Knot DNS, NSD, Verisign's ATLAS name server, Quad9's and Clou

Re: Deprecating auto-dnssec and inline-signing in 9.18+

2022-11-14 Thread Matthijs Mekking
FYI: We are going forward with deprecating 'auto-dnssec' in 9.18+. We might deprecate 'inline-signing' too in 9.18, but only if we have implemented the replacement code to configure it inside 'dnssec-policy' in time. After last year's discussion on this mailing list I initially wanted to mak