I am going to vent, I have bitten my tongue for far too long.
I've just updated 9.18 again, as recent update, and ever since using this
9.18 mess the load has been horrendous never ever have I experiemnce such a
clusterfcsk of a release
14 minutes after restart bind load is greater than 8 and sti
Hi,
I recently upgraded from 9.16 to latest version and changed a zone, ran
verisign test and it said all good, so changed my zones from auto maintain
dnssec to dnssec policy default, what a nightmare, most our zones vanished
few hours later for a day, and it create new keys for everything, this bu
.
Either way it seems bind can not simply do it the way I had expected it to,
flabergasted by that.
On Fri, Oct 22, 2021 at 10:43 AM Mark Andrews wrote:
>
>
> > On 21 Oct 2021, at 18:33, Edwardo Garcia wrote:
> >
> > Hai all,
> >
> > We have been given task
Wow, looks a right mess to be honest, might just have to leave it as is,
less aggravation.
Hard to understand why in 2021 almost 2022, we can't do something so simple
in dns
On Thu, Oct 21, 2021 at 9:49 PM Tony Finch wrote:
> Edwardo Garcia wrote:
> >
> > I guess bind can
Hai all,
We have been given task of doing some migrations within new merger.
One of these is we have a number of reverse zones, a /19 in fact, they are
mostly GENERATE'd for regions with fixed gw and a few other local custom
PTRs
I have played roughly with a fictitious in-addr.arpa (I play with
Thank you, I'll report back the result
On Wed, Aug 18, 2021 at 10:49 AM Mark Andrews wrote:
>
> > On 18 Aug 2021, at 10:23, Edwardo Garcia wrote:
> >
> > Hola Mark,
> >
> > Thank you, so to be clear, what is mean to delegate zone, the black
> zone?
Hola Mark,
Thank you, so to be clear, what is mean to delegate zone, the black zone? I
am not dns expert unfortunately
On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews wrote:
> Delegate the zone. Do NOT add a DS for it.
>
> --
> Mark Andrews
>
> On 17 Aug 2021, at 23:47, Edw
Hola
We have dnssec working for long time but need now to have a subdomain
excluded, we are going to be use it to replace an internal blacklist, we
have 14 smtp servers and it is cumbersome to keep in sync.
So we have example.net signed,
but we want black.example.net, and of course all addresses
Thank you! I have now corrected our ancient internal wiki so we now have
learned how it goes
Very much appreciate your patience and help, now I can start my weekend :->
On Sat, May 1, 2021 at 10:31 PM Tony Finch wrote:
> Edwardo Garcia wrote:
> >
> > So you mean to say
wanted both
hrmm, now I start to understand why not many use DNSSEC so confusing to
those who not
do this every day, or so many instructions around nobody knows what works
But we getting there :->
On Sat, May 1, 2021 at 8:25 PM Tony Finch wrote:
> Edwardo Garcia wrote:
>
> > O
them
or maybe the .com and .net zones having longer TTL than ours (4 hours),
confused, but I am happy enough since verisignlabs says all green ticks
On Sat, May 1, 2021 at 4:15 AM Tony Finch wrote:
> Edwardo Garcia wrote:
> >
> > One question however it talk about longest TTL, does
this mean also root
TLD zones (.com, .net) which from memory are 48 hours, so before we delete
old keys we need wait 48 hours, even though our zone TTL was 24 ?
Thank you, wow much much easy than I hoped for :-)
On Wed, Apr 28, 2021 at 12:08 PM Tony Finch wrote:
> Edwardo Garcia wr
Halo all,
Many year ago we set up DNSSEC, our key were generated with sha1 as was
recommended way back all them years. We too are not DNSSEC guru, so some
answer may be simple
Now we want to upsecure this to sha256.
Also we use ZSK -b 1024 and KSK -b 4096
even modern google from apnic show examp
hould give
answer, since it holds the record, just as it knows the internal test zone.
this all cause mail to fail, web browsing to fail, boss not happy.
On Fri, Jan 11, 2019 at 9:27 AM Edwardo Garcia wrote:
> Kevin,
> I though lan saturation too, but I can ssh into bind server immediatel
es; }; " in your config.
> Have you had issues with IPv6 link-local addresses being associated with
> delegated nameservers? I haven't noticed this, but then again, I haven't
> been looking for that particular misconfiguration specifically...
>
>
>
With new windows update last day, we notice something strange, our local
DNS cache server timeout on lookups.
For example lookup google.com, 1 minute later fails timeout looking up, but
since it has already looked it up it should have returned answer from cache
yes? google has a 5min TTL, my cache
>
> Mark
>
> > On 14 Dec 2018, at 12:07 pm, Edwardo Garcia wrote:
> >
> > Yes, I did.
> >key-directory "keys/";
> >inline-signing yes; <- is this not required ?
> > auto-dnssec maintain;
> >
>
Yes, I did.
key-directory "keys/";
inline-signing yes; <- is this not required ?
auto-dnssec maintain;
On Fri, Dec 14, 2018 at 11:05 AM Mark Andrews wrote:
> Sounds like you added inline-signing yes;
>
> > On 14 Dec 2018, at 12:02
I have answered my own Question, yes it does, thank you! (after removing
the .signed in named,conf, else auto signing does .signed.signed
:-)
Thank you Mark!
On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia wrote:
> That seems simpler than what we once tried, OK we add that now. Tha
, Dec 14, 2018 at 10:42 AM Mark Andrews wrote:
> auto-dnssec maintain;
>
> > On 14 Dec 2018, at 11:39 am, Edwardo Garcia wrote:
> >
> >
> > zone ".com" {
> > type master;
> > allow-transfer { sysops; slaves; };
> >
for dynamic updates and let named
> automatically resign the zone as needed.
>
> > On 14 Dec 2018, at 11:13 am, Edwardo Garcia wrote:
> >
> > Hi,
> > What is the best practice for signing/re-singing zones with journal?
> >
> > We manually resign our domain, and u
Hi,
What is the best practice for signing/re-singing zones with journal?
We manually resign our domain, and use journaling, resigning is a PIA.
if we forget to thaw, the zone bails and stays unloaded because journal
roll forward error, which bring the question why? since resolution to this
is stop
Halo,
I do not sorry, there no indication in log as who, but enter server bogus
command as Noel reply seem to fix, no more messages since.
On Wed, Jun 11, 2014 at 7:06 AM, Rick Jasper wrote:
> Just curious. Do you know what query to which nameserver is returning
> that bogus fe80:: IP addre
Halo,
in recent week we have see fill daemon_log of this errors, is way to fix?
I do wrong?
socket.c:5367: unexpected error:
Jun 2 05:43:53 korali named[2951]: connect(fe80::#53) 22/Invalid argument
___
Please visit https://lists.isc.org/mailman/listinf
24 matches
Mail list logo
