max-zone-ttl deprecation

With the deprecation of "max-zone-ttl" coming soon, noting comments about it being moved to the dnssec-policy statements, how can we stop an upstream zone from accepting a dynamic update with a TTL out of range? Basic situation: - Primary zone server, no DNSSEC policies - Primary signing server

Re: Questions about automatic KSK and using an additional stand-by KSK

On 24.02.25 9:47 AM, Matthijs Mekking wrote: > Hi Bernd, > Hey Matthijs, Why not let us start all over again :) (I really do thank you so much for taking the time!) > Non-signing keys (for example a stand-by key), is a bit tricky in > dnssec-policy and not fully supported. > > In 9.18, I woul

Re: xfer-in: Transfer status: timed out (selective failures)

Thanks a lot, folks! The problem is solved - I put a "checksum" module between the firewall and the "nat" module (I have netgraph[1] modules), and that works now as expected. Apparently, when NAT-rewriting the address of a /locally created/ packet, at the time of rewriting the checksum has not

Re: Anycast DNS VIPs network IPv4

Hi Karol. If I understand you correctly, the choice of address to use is up to you and how it works best in your network. The DNS service addresses only need to be relevant to the network they sit in and the clients that need to reach them. In a private network, any 10 etc. address would work, as l

Re: xfer-in: Transfer status: timed out (selective failures)

On Tuesday, February 25, 2025 2:20:45 AM CET Crist Clark wrote: > Another thing to consider, especially if you are playing wild games routing > through tunnels and such, is to verify the server has a route back to the > client. If something in the LAN can reach it, like the first dump, but > off-ne

Anycast DNS VIPs network IPv4

Hello Everyone  Do we have any official recommendation /rfc to choice network for anycast vips which we need to advertise into organization network ?  Wysłane z Yahoo Mail do iPhone -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the developm

Re: Questions about automatic KSK and using an additional stand-by KSK

On 24-02-2025 11:51, Bernd Naumann wrote: ... In 9.18, I would suggest to disable inline-signing and just add the DNSKEY record to the zone. Don't put the key files for the stand-by key in the 'key-directory', this should only hold signing keys. Jep I've done that; except "Don't put the ke

RE: Policy-dnssec timeline step by step

Yes, the ZSK rollover got weird when the DS had not reach omnipresent state yet. Why is that? -Original Message- From: bind-users On Behalf Of Matthijs Mekking Sent: Friday, February 21, 2025 2:30 PM To: bind-users@lists.isc.org Subject: Re: Policy-dnssec timeline step by step Hi, The