Re: dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-06 Thread Mark Andrews
More to the point why was the old KSK removed *before* checking that the DS record for the new KSK was published and had been for the TTL of the DS RRset? With proper procedures this should not happen. When something goes wrong / is delayed in a key rollover the process should stall until that

Re: Deprecation notice for BIND 9: "resolver-nonbackoff-tries", "resolver-retry-interval"

2023-12-06 Thread Fred Morris
They don't seem well documented. Even in the ARM for 9.12 they're listed as options but no explanation is provided. It's easy to suspect that nobody is going to use an option which isn't documented (unless they're of a mind to browse sourcecode). This could be a self-fulfilling assumption. On

RE: dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-06 Thread Bhangui, Sandeep - BLS CTR via bind-users
The problem has been resolved. The automatic KSK rollover on the dotgov.gov did not happen properly and once we manually updated the DS record with the correct KSK keytags and keys things were fixed. All is good now. Now to see if we can find out as to why the automatic KSK failover on the do

Re: dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-06 Thread Nick Tait via bind-users
On 7/12/2023 9:05 am, Nick Tait via bind-users wrote: I could be wrong, but based on the output above it looks like the current TTL is 0, which means that doing this should provide immediate relief. Sorry it looks like the DNS server on the Wi-Fi network I'm connected to has done something we

Deprecation notice for BIND 9: "resolver-nonbackoff-tries", "resolver-retry-interval"

2023-12-06 Thread Evan Hunt
Hello, In line with ISC's deprecation policy, I am notifying the mailing list of our intent to deprecate the "resolver-nonbackoff-tries" and "resolver-retry-interval" options in named. These options fine-tune query retry behavior in the resolver for testing purposes. They are not thought to be us

Re: dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-06 Thread Nick Tait via bind-users
On 7/12/2023 1:53 am, Bhangui, Sandeep - BLS CTR via bind-users wrote: Hi It seems the DNSSEC delegation is broken from “.gov” to bls.gov domain and due to which the records for bls.gov are considered as bogus and we are having issues at our site. It looks like we were in the process of KSK

dnssec-delegation seems to be broken from .gov to bls.gov

2023-12-06 Thread Bhangui, Sandeep - BLS CTR via bind-users
Hi It seems the DNSSEC delegation is broken from ".gov" to bls.gov domain and due to which the records for bls.gov are considered as bogus and we are having issues at our site. It looks like we were in the process of KSK rollover and that may have caused the issue as things were fine till yest