Re: [KASP] setup KASP in master / slave architecture

2022-12-16 Thread Crist Clark
The statement that a BIND secondary only uses one file is incorrect. A secondary will write IXFR data to a journal file, a jnl file. But as has been stated earlier in the thread, a secondary is not involved in anyway in signing a zone. One way to possibly make more sense of this is to consider how

Re: [KASP] setup KASP in master / slave architecture

2022-12-16 Thread Darren Ankney
This is all I have in my zone on secondary: zone "mylocal" { type secondary; file "/etc/bind/mylocal.saved"; primaries { 192.168.40.142; }; }; My primary is a little more complicated: zone "mylocal" { type primary; file "/etc/bind/mylocal"; notify yes; allow-update { ke

Re: [KASP] setup KASP in master / slave architecture

2022-12-16 Thread Niall O'Reilly
On 16 Dec 2022, at 15:59, adrien sipasseuth wrote: > - on the slaves: files .db > > I don't understand why there is no .db.signed file on my slave > knowing that a dig from a slave does return RRSIG. The secondary (slave) only needs one file to hold whatever zone data the primary provides when tr

Re: [KASP] setup KASP in master / slave architecture

2022-12-16 Thread adrien sipasseuth
Hi, I deleted my zone file .db on my slaves and I forced a transfer from the master. Now it seems to work, I do have the RRSIG associated with my RRset A when I do a dig from my slave. When I test my dig from my internal network I actually don't have the ad flag. But from the google resolver (ht

Re: Domain no longer fully secure after move

2022-12-16 Thread Sandro
On 16-12-2022 10:26, Ondřej Surý wrote: some registrars or registries strip the DS record when you move between registrars. I don't know if this is the case with .nl, but I just know that it might happen. It sure was stripped. Before I provided the details for the DS entry myself, since I als

Re: Domain no longer fully secure after move

2022-12-16 Thread Ondřej Surý
> On 16. 12. 2022, at 9:25, Sandro wrote: > > The missing DS record in the .nl domain is all that's wrong. That breaks the > chain of validation, therefore showing all penguinpee.nl > entries as insecure. Hi, some registrars or registries strip the DS record when you m

Re: Behavior of port tag in options clause is ambiguous

2022-12-16 Thread Vikas Sharma
Thanks Ondrej and Clark for quick reply, i have gone through the documentation and really its very well written, bind version used : 9.18.3 notification message = Zone Change Notification referring to part of the option clause from the original mail . port 15010; listen-on port

Re: Domain no longer fully secure after move

2022-12-16 Thread Sandro
On 14-12-2022 19:13, Sandro wrote: I recently (last weekend) moved the domain to a new registrar. The keys are now managed by the registrar directly. At least I don't see an option providing my own or additional keys in their web interface. Moreover, I'm no longer running my own DNS server. 🙁 Pr