On Tue, 2021-06-15 at 14:27 +1000, Mark Andrews wrote:
> https://downloads.isc.org/isc/bind9/9.16.16/doc/arm/Bv9ARM.pdf
The modern-day RTFM :-)
-Jim P.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
On Thu, 2021-04-22 at 10:59 +0100, Greg Donohoe wrote:
> Hello,
> I have created a CI/CD pipeline in order to amend zone files using
> nsupdate based on a front end user request. This portion of the
> pipeline is working as expected so now I want to be able to connect
> from my pipeline runner to m
On Wed, 2021-04-14 at 08:07 +, Richard T.A. Neal wrote:
>
> Just out of interest, because I run some services on OVH, I know what
> that term means. When you rent a dedicated server from OVH you are
> assigned a single IPv4 address. Let's assume that you then want to use
> VMware or Hyper-V on
t very clear.
> Eventually I hope to improve this once our resolvers support RFC8914
> extended dns errors which we could pass on to the frontend.
+1 Thanks!!
> On 4/9/21 9:11 PM, Jim Popovitch via bind-users wrote:
> > > > What I can't figure out is how/when does .ch que
On April 9, 2021 8:21:33 PM UTC, "John W. Blue via bind-users"
wrote:
>Sorry .. clicked send too soon.
>
>Found this via google:
>
>https://docs.gandi.net/en/domain_names/advanced_users/dnssec.html
>
>"You can not add DS keys as we compute it for you with the KSK or ZSK, then we
>send it to the
NS query returned: "Server failed to complete the DNS request".
>"
>
>You should check the requirements. You'd need to answer for three
>consecutive days, be consistent in all NS IP addresses, etc.
>
>Hugo
>
>On 15:11 09/04, Jim Popovitch via bind-users wr
On Fri, 2021-04-09 at 19:05 +, John W. Blue via bind-users wrote:
> So the issue here is that the DS record that sit in .ch has an ID of 22048
> but the domainmail.ch servers are telling the world that the correct ID is
> 17870.
>
> Thus the DNSSEC breakage.
Of course, however there is no 2
Hello!
I've read the "Schacher 20200622 Support for and adoption of CDS in .ch
and .li", and studied
https://kb.isc.org/docs/dnssec-key-and-signing-policy, however I've hita brick
wall:
https://dnsviz.net/d/domainmail.ch/dnssec/
What am I missing?
I'm using the following policy and zone conf
On Tue, 2020-11-24 at 22:22 -0500, Paul Kosinski wrote:
> My reading of the headers (below) does *not* suggest "Reply All".
>
> Rather, they show that mx.pao1.isc.org sent/forwarded the email once,
> and it was received by lists.isc.org once with ESMTP ID 026B967ED73.
> But then lists.isc.org rese
On Mon, 2020-11-23 at 08:13 +0100, Reindl Harald wrote:
>
> Am 23.11.20 um 04:58 schrieb Jim Popovitch via bind-users:
> > On Sun, 2020-11-22 at 21:56 -0500, Paul Kosinski via bind-users wrote:
> > > I've been getting two identical copies of recent posts to this list...
On Sun, 2020-11-22 at 21:56 -0500, Paul Kosinski via bind-users wrote:
> I've been getting two identical copies of recent posts to this list...
Me too, but it's because of people hitting reply-all thinking that they
are replying to the list and the poster. People really need to verify
who they ar
On November 9, 2020 7:18:03 AM UTC, Rob McEwen wrote:
>Several weeks ago, Mark Andrews gave me an excellent suggestion about a
>particular BIND feature, but it is a somewhat recent feature that
>started to exist on a version of BIND that isn't yet distributed in the
>default/main BIND distribut
On Thu, 2020-09-10 at 13:50 -0400, Jim Popovitch via bind-users wrote:
> On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote:
> > I manage an anti-spam DNSBL and I've been running into an issue in recent
> > years - that I'm FINALLY getting around to asking about. I just
On Thu, 2020-09-10 at 11:56 -0400, Rob McEwen wrote:
> I manage an anti-spam DNSBL and I've been running into an issue in recent
> years - that I'm FINALLY getting around to asking about. I just joined this
> list to ask this question. Also, I checked the archives, but couldn't find an
> answer
On Wed, 2020-04-15 at 14:21 +0200, Reindl Harald wrote:
>
> Am 15.04.20 um 14:17 schrieb Jim Popovitch via bind-users:
> > On Wed, 2020-04-15 at 10:35 +0200, Klaus Darilion wrote:
> > > Thanks for answer!
> > >
> > > So actually it is just a cosmet
On Wed, 2020-04-15 at 10:35 +0200, Klaus Darilion wrote:
> Thanks for answer!
>
> So actually it is just a cosmetic change not addressing a real problem.
>
> I will miss the bind9 service :-(
Wait until you find out about Predicatable Network Interface Names and
iptables rules. :)
-Jim P.
___
On Thu, 2020-04-02 at 09:27 +1100, Mark Andrews wrote:
> > On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users <
> > bind-users@lists.isc.org> wrote:
> >
> > Hello!
> >
> > I started on #bind, moved on to the ARM, and now I am here.
> >
> >
Hello!
I started on #bind, moved on to the ARM, and now I am here.
Here is what I want:
update-policy {grant webserver-tsig-key wildcard _acme-challenge.* TXT;};
This is what I get:
~$ named-checkconf
/etc/bind/named.conf:73: '_acme-challenge.*' is not a wildcard
What am I doing wro
Jim P.
Forwarded Message
From: Vicky Risk
Reply-To: no-re...@zoom.us
To: Jim Popovitch
Subject: Reminder: DNSSEC series starts in 1 day
Date: Tue, 11 Feb 2020 18:14:12 +
Hi Jim Popovitch,
This is a reminder that "DNSSEC series" will begin in 1 day on:
Date Tim
On 11/12/19 4:42 AM, Alessandro Vesely wrote:
Hi,
I have a signed domain, with inline-signing yes and auto-dnssec maintain.
Although the domain is static, the .signed and .signed.jnl files are being
rewritten without apparent reason. They are about a month newer than the
corresponding .jbk and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Thu, 2019-10-10 at 10:39 -0400, Jim Popovitch via bind-users wrote:
> Hello!
>
> Is this a language/translation issue, or is named telling me that it
> would but didn't limit?
>
>
> Oct 10 00:57:21 ns2 named[623]:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello!
Is this a language/translation issue, or is named telling me that it
would but didn't limit?
Oct 10 00:57:21 ns2 named[623]: would limit REFUSED error responses to
2404:6800:4003:c00::/56
Oct 10 00:58:35 ns2 named[623]: would stop limiting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Sun, 2019-07-28 at 02:14 +1000, Mark Andrews wrote:
> > On 28 Jul 2019, at 2:03 am, Jim Popovitch via bind-users
> > wrote:
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > On Su
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Sun, 2019-07-28 at 01:36 +1000, Mark Andrews wrote:
> Authoritative servers lookup addresses of nameservers to send notify messages.
> If the names are not in the authoritative data it will iterate to find the
> address.
Thanks Mark. BTW, this i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Sat, 2019-07-27 at 11:04 -0400, Jim Popovitch via bind-users wrote:
> Hello!
>
> Why would an auto-only server (in this case the master) report this:
>
> Jul 27 13:07:58 ns1 named[624]: resolver priming query complete
&
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello!
Why would an auto-only server (in this case the master) report this:
Jul 27 13:07:58 ns1 named[624]: resolver priming query complete
tia,
- -Jim P.
-BEGIN PGP SIGNATURE-
iQIzBAEBCAAdFiEE3RmV4WutJ2KyCS2zPcxbabkKGJ8FAl08aBwACgkQPcx
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Sun, 2019-07-14 at 18:30 -0400, Paul Kosinski via bind-users wrote:
> Testing how lists.isc.org handles DMARC "Quarantine" (and "Reject")
> policy. The enterpr...@mozilla.org mailing list forwards such email in a
> way that some recipients choke o
On Thu, 2019-01-31 at 21:12 +0530, Mukund Sivaraman wrote:
> On Thu, Jan 31, 2019 at 10:30:30AM -0500, Jim Popovitch via bind-
> users wrote:
> > On Thu, 2019-01-31 at 19:14 +0530, rams wrote:
> > > Hi,
> > > I have setup sshfp records as follows in bind zone f
On Thu, 2019-01-31 at 19:14 +0530, rams wrote:
> Hi,
> I have setup sshfp records as follows in bind zone file:
>
> test1.ramesh-sshfp.com. 86400 IN SSHFP 1 1 aa
> test2.ramesh-sshfp.com. 86400 IN SSHFP 1 1 00
>
> Successfully started bind but when queried for domain test1 and test2
> , ret
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
What is the definitive steps for purging (rm -f) old DNSSEC key files
that expired months ago?
tia,
- -Jim P.
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlvHefsACgkQJxVetMRa
JwX3HxAAhze9yaypBQdqkz9r0qOUeB6OmU/LTFAq5j
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, 2018-08-10 at 09:47 +1000, Mark Andrews wrote:
> > On 10 Aug 2018, at 5:46 am, Jim Popovitch via bind-users > s...@lists.isc.org> wrote:
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Is it possible to...
1) use text only zone files, and
2) keep serials identical between those zone files and what is
published in DNS, and
3) automatically handle signatures when adding new RRs, and
4) not have any journal files.
Is all of that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Sat, 2018-05-19 at 01:03 +, Evan Hunt wrote:
> On Fri, May 18, 2018 at 04:28:24PM -0400, Jim Popovitch via bind-
> users wrote:
> > Honest question Why are there so many sourcecode
> > modifications/additions/deletions b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Honest question Why are there so many sourcecode
modifications/additions/deletions between v9.12.1 and v9.12.1-P2? Some
files should obviously change between minor versions, but ~1300 ?
Bin9 v9.12.1-P2 changed files:
http://paste.debian.net/pl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello,
Is there a roadmap for DNSSEC signing capabilities? I'm specifically
wondering if any features are planned to fully automate signing, such
as being able to specify simple zone options like "dnssec-cycle=90d;"
and having bind9 fully manage t
On Mon, Oct 31, 2016 at 12:21 PM, Tony Finch wrote:
> Jim Popovitch wrote:
>>
>> It seems to me that anycast is probably much worse in the Mirai botnet
>> scenario unless each node is pretty much as robust as a traditional
>> unicast node.
>
> This blog post is a
On Mon, Oct 31, 2016 at 11:27 AM, Matthew Seaman
wrote:
> On 2016/10/31 14:53, Jim Popovitch wrote:
>> On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman
>> wrote:
>>> This despite the fact that Dyn has a global anycast network with
>>> plenty of bandwidth, point
On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman
wrote:
> This despite the fact that Dyn has a global anycast network with
> plenty of bandwidth, points of presence all round the world and
> each POP contains a bunch of top-of-the-line servers.
It seems to me that anycast is probably much worse i
On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger
wrote:
>
> http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/
>
> After the DS TTL expired I removed the old DS, so the zone now looks
> like this:
>
> http://dnsviz.net/d/blau.beer/V_t2Hg/dnssec/
>
TBH, the prior one looks cooler than the later.
-J
On Mon, Sep 05, 2016 at 05:12:47PM +0100, Tony Finch wrote:
> Jim Popovitch via bind-users wrote:
> >
> > Thanks. Now I'm seeing something slighly different. I have 3 NS
> > servers, ns{1-3}.domainmail.org.
> >
> > When I first asked 3 days ago I was seein
On Mon, Sep 05, 2016 at 09:51:25AM +0100, Tony Finch wrote:
> Jim Popovitch via bind-users wrote:
> >
> > Should minimal-all (v9.11.0-rc1) work on a master? My testing shows
> > that it only works on the slave DNS servers.
>
> Works for me :-) minimal-any is implement
On Fri, Sep 02, 2016 at 06:59:35PM +, Jim Popovitch via bind-users wrote:
> Hello,
>
> Should minimal-all (v9.11.0-rc1) work on a master? My testing shows that it
> only works on the slave DNS servers.
>
And by minimal-all I mean minimal-any (i keep typo'ing that fo
Hello,
Should minimal-all (v9.11.0-rc1) work on a master? My testing shows that it
only works on the slave DNS servers.
relevant named.conf: http://paste.debian.net/plainh/62ee2440
-Jim P.
signature.asc
Description: Digital signature
___
Please vi
Hello,
I recently rollled out auto-dnssec and inline-signing (v9.9.5), and
today (1-Oct 00:00 UTC) was the first automatic zsk rollover.
According to http://dnsviz.net/d/domainmail.org/dnssec/ it appears
that the SOA is signed by the new zsk, but the rest of the RRs are
still signed by the old. T
On Sat, Aug 22, 2015 at 12:49 PM, Evan Hunt wrote:
>> Is the zone being signed every hour, or is it just a check? FWIW,
>> the .signed and .jnl are not being modified every hour, so I suspect
>> that log entry is just a periodic check.. but I'm not sure.
>
> It's a check to see if the zone keys
Hello!
Recently upgraded a master server to bind-9.9.7-P2, in order to take
advantage of automated inline signing as detailed here:
https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
One thing I've noticing is that it appears that the zones are resigned
or check
46 matches
Mail list logo
