>
> On Sat, 1 Feb 2025 14:47:35 +0000
> Marc wrote:
>
> "You have to get the bigger picture. Everything requires regulation
> otherwise big tech is going to fuck you. There are enough examples out
> there."
>
> The even bigger picture is that the regulator
>
> ! Users of Open Source projects are responsible themselves for what
> ! they use. You want to use a free image editor? fine, go ahead!
>
> Exactly, that is the idea! And I love it - it allows me to NOT
> depend on service providers, to run my infrastructure in the way
> I like it, and to be
>
> Did you know that there is significant momentum building to regulate
> software, including open source, in at least Europe and the US (and
> possibly elsewhere as well), in order to improve cybersecurity? Do you
> think this regulation will improve cybersecurity for your operations?
> What are
>
> FYI - EO 14144 has the following provision related to encrypting DNS:
>
> (c) Encrypting Domain Name System (DNS) traffic in transit is a critical
> step to protecting both the confidentiality of the information being
> transmitted to, and the integrity of the communication with, the DNS
> re
I can definitely remember having a performance difference between my container
and a vm. I never bothered to research it any further and thought maybe it was
related to older cgroups implementation, oc, or older distro.
>
> By any chance have you measured the performance difference between GNU
>
> I think this will copy duplicates, duplicates increase still layer
> size so you have 2x size of a default /usr
>
> so you can only copy individual files
>
> You are right, extra files appear in the diff! I was thinking that the
> files already present would be discarded. Copying
gt; wrote:
> >>>
> >>> For what it's worth this is how we build our dockers, with a builder
> >>> and then the runner. IMO it's cleaner that way and not much more
> >>> complicated. We'll continue to roll our own though so no real do
>
> What’s the size difference for you?
>
> I mean if someone wants to play with our Dockerfile and there’s a
> significant reduction is size, I would be convinced. But in a world,
> where a mobile application that does absolutely nothing has 4 GB, I feel
> like 130 MB is on the low side of the s
>
> > On 27. 8. 2024, at 18:57, Marc wrote:
> >
> > Afaik apk del \ does not free up space still.
>
> Right. That was not really my intention though. I wanted to reduce
> the amount of cruft installed in the image. The less binary stuff
> around, the less poss
>
> Sure, it’s not secret:
>
> https://gitlab.isc.org/isc-projects/bind9-docker
>
> Branches with history…
>
Afaik apk del \ does not free up space still.
If you work with builder phase, you can probably shave of some MB's
1 # Version: 0.0.1 - 3proxy
2
3 #
4 # Stag
anges a few years up
front. (To prevent eg that once a market share is acquired, the project is
continued as not open source (think of elastic search))
> On Fri, Aug 23, 2024 at 3:51 PM Marc <mailto:m...@f1-outsourcing.eu> > wrote:
>
>
>
> I don't think you
>
> That being said. It's preposterous to complain about free software.
>
>
So if some store owner gives your kid candy that previously fell on the floor,
you are not complaining because it was for free ?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
)
So doing something for free is not an excuse to be allowed to fuck up or
irresponsible.
>
> My kid would know better than to take free candy. And if he did he would
> know there is a risk involved for which only he would be responsible.
>
> On Fri, Aug 23,
el9 bind-9.16, maybe netstat/os?
tcp0 0 x.x.x.x:530.0.0.0:* LISTEN
46622/named
tcp0 0 y.y.y.y:530.0.0.0:* LISTEN
46622/named
tcp0 0 127.0.0.1:53 0.0.0.0:* LISTEN
46622/named
>
I am quite a bit annoyed with how redhat has completely failed to put proper
engineers on this dyndb-ldap.
They have currently made it like this that:
- if you have an ldap server next to your named, they literally download
everything from your ldap server to named. so you have data twice in me
be an
unsafe practice? I don't know if these files are being used to persist
information across restarts of the named service or not... These tmp
files contain binary information and as such are unreadable.
Much appreciate, and thanks in advance for some advice... Marc C
--
*"The Tru
r 30, 2020 10:45 PM
To: Marc Roos; bind-users; kpielorz.lst
Subject: Re: Bind stats - denied queries?
Am 30.11.20 um 20:01 schrieb Marc Roos
> You assume incorrectly that every such log entry is from spoofed
> traffic.
every relevant one, yes
> This is about correct logging. Even if
tim
please try to understand
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
and RRL is only useful for that type of attack, everything else don't
matter for a DNS server and more important you can't distinct it anyways
Am 30.11.20 um 18:23 schrieb Marc Roos:
> Regardless if
.
Am 30.11.20 um 11:12 schrieb Marc Roos:
> Are newer version of bind still logging like this
>
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
> 3.9.41.0/24
> Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
> 35.177.154.0/24
>
Are newer version of bind still logging like this
Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
3.9.41.0/24
Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to
35.177.154.0/24
Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to
> I don't think so, nor does it seem to make sense to me that you would
> want such a thing (in the general case, you may have a use-case).
What would be better way to solve this then? To filter out only the ip
addresses that are in the same netmask?
_
168.124.51
192.168.123.100
192.168.123.102
[@temp3]$ dig +short srv _http-apps._server.test._tcp.marathon.mesos
0 1 31024 server.test-usbzr-s3.marathon.mesos.
0 1 31852 server.test-z9x84-s3.marathon.mesos.
0 1 31790 server.test-k7g8r-s4.marathon.mesos.
[marc@os0 temp3]$ dig +short srv
_http-demo._s
happy camper.
Marc..
On 3/30/20 11:42 AM, Bob Harold wrote:
> Try without the "match-destinations". Only use match-clients to
> determine the view. (Or try only match-destinations as a separate test.)
> (I have never used match-destinations.)
> Turn on query logg
og files also, after setting the
debug level to 10, and the Bind server reports no errors or warnings
when it is started up. Thanks for any help offered, and below is what I
think is the relevant part of my named.conf file.
Marc
> view "localhost_resolver"
> {
> //
On 03/14/2019 04:40 AM, Niall O'Reilly wrote:
> On 14 Mar 2019, at 5:17, Marc Chamberlin via bind-users wrote:
>
>> On 03/13/2019 08:33 PM, John W. Blue wrote:
>>> As an option, instead of including /etc/rndc.key nothing prevents you
>>> from including rndc.conf
ing contest! ;-) I will go poke around and take a look at the
startup scripts
>
> Mark
>
>> On 14 Mar 2019, at 10:01 am, Marc Chamberlin via bind-users
>> wrote:
>>
>> Hello Bind Users,
>>
>> I have been working on upgrading my Bind 9.11.2 serve
Hi John, thanks for replying and your thoughts! I will intersperse my
feedback within your comments -
On 03/13/2019 08:33 PM, John W. Blue wrote:
>
> Marc,
>
>
>
> Regarding your rndc problem, I think you might be confusing rndc.
>
>
>
> If rndc is invoked wi
TXT "bar"
show
send
and if I use it as follows this is what I see -
> # nsupdate -k /etc/letsencrypt/james/Kletsencrypt.+165+56715.key -v
> ./test.txt
I get lots of output and no indication of any problems. Using dig to see
if the update indeed works -
> # dig +short -t txt test.mydomai
d-error on some settings to see if that helps ?
Regards
Marc
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@list
same built environment and same build flags to build 9.11.4 I
started getting these issues.
Could someone give a clue whether that's more likely to be an issue with my
environment, or in the code ?
Regards
Marc
signature.asc
Description: OpenPGP d
e the one cpu at 100% is your bottleneck.
I checked that with mpstat earlier already and the load is evenly
distributed amongst all CPUs. None of the CPUs is overloaded.
Regards
Marc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
you have reasonable kernel updates and tcp patches in
> this Solaris server ?
Yes, of course.
Regards
Marc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
hink that is a reasonable statement in this environment ?
What would be the best way to "speed up the application" ? Just increase
the worker threads ?
Regards
Marc
On 06/28/17 15:31, Marc Richter wrote:
> Hi Ben,
>
> thanks for the answer.
>
> Yeah, I think you are righ
; On Jun 28, 2017 10:26 AM, "Marc Richter" <mailto:marc.rich...@de.verizon.com>> wrote:
>
> Hi,
>
> we have a setup here consisting of a recursive DNS server and two
> monitoring servers. The monitoring servers sent a test query to the DNS
>
sun4v 5.11 11.3
Thanks !
Marc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On Mon, May 16, 2016 at 12:23:30PM +0100, Tony Finch wrote:
> Marc Haber wrote:
> > in Debian, the bind9 packages have recently started to trouble me in
> > chrooted environments since some cryptographic libraries are loaded
> > after bind has chrooted itself, which resul
On Mon, May 16, 2016 at 08:09:05AM -0400, Matthew Pounsett wrote:
> On 16 May 2016 at 04:38, Marc Haber wrote:
> > I have filed Debian Bug #820974 (http://bugs.debian.org/820974)
> > accordingly. The Debian bind people suggest that I copy the respective
> > libraries to th
es
since it allows the chrooted root account to _directly_ _change_ the
files of the parent system. You can run unchrooted without much more
danger.
Greetings
Marc
--
-
Marc Haber | "I don't trust Compu
ibly security relevant libraries from
the automated update mechanisms of the distributions, and would
therefore greatly reduce ease of upgrades. It is also not mentioned in
Chapter 6 of the ARM.
What is the official upstream remedy to this situation?
Frankly, I think this
archaxis.net.
80/29.233.202.162.in-addr.arpa. 7200 IN NS ns1.archaxis.net.
so you need
zone "80/29.233.202.162.in-addr.arpa." {
...
}
Btw, this diagnosis would not have been possible if you had obfuscated
the IP address. Thanks for being open, showing your real data,
allowing s
14, 2013 at 10:29 PM, Kevin Oberman wrote:
> On Thu, Nov 14, 2013 at 11:19 AM, Marc Lampo wrote:
>
>> Hello,
>>
>> dnsstuff.com gives me all green for DNSSEC of uscg.mil.
>> dnsviz.net gives warnings (not : errors) on all RRSIG's - something with
>&g
re replying from
cache
these abnormalities should not be fatal, in my opinion.
I wonder what kind of name servers uscg.mil uses ?
Kind regards,
On Thu, Nov 14, 2013 at 7:22 PM, Khuu, Linh Contractor wrote:
> *Hi Marc,*
>
>
>
> *Yes, on my DNS server, if I do a dig @8.8.8.8 <http:/
And the name server 199.211.218.6 does not seem lame either :
$ dig @199.211.218.6 mx uscg.mil. +dnssec
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @199.211.218.6 mx uscg.mil. +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61958
;;
Not at this moment :
$ dig @8.8.8.8 mx uscg.mil. +dnssec
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 mx uscg.mil. +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42506
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0
server has knowledge, because it is authoritative, it will use
that knowledge and will not try to query name servers on the Internet.
It becomes "bogus" for that zone : no delegation, but having knowledge.
Kind regards,
Marc
On Thu, Oct 10, 2013 at 10:28 AM, Peter Olsson wrote:
Precisely !
That is why one of the sanity checks is if NS records exist at all.
If not, no DS records will be added.
And reversely : if all NS records are removed, any DS record will be
removed as well.
Just as Mark Andrews indicated.
Kind regards,
Marc Lampo
On Wed, Feb 6, 2013 at 9:59 AM
.
You need to complete the chain of trust by also signing the parent
testing.net. -
and having its DS information published in its parent net. !
Kind regards,
Marc Lampo
Security Officer
EURid
From: Khuu, Linh Contractor [mailto:linh.k...@ssa.gov]
Sent: dinsdag 17 juli
?
à since the root zone is already algo 8 (RSA/SHA-256)
à since most tld’s are 7 or 8 and most with NSEC3
the Windows DNS service is going to treat most of DNSSEC’d name space as
“unsigned” anyway …
(another argument to switch to Bind, internally ?)
Kind regards,
Marc Lampo
Security
lausible attack vector for
hackers ?
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
From: John Williams [mailto:john.1...@yahoo.com]
Sent: 28 June 2012 10:35 PM
To: bind-users@lists.isc.org
Subject: BIND, DNSSEC & AD
I have an environment that hosts a BIND based int
NSSEC related RFC's explicitly state to leave
authority/additional section empty if filling them would lead to the
answer becoming too big and requiring the TC bit to be set.
--> it is not a configuration setting, it's RFC defined.
Kind regards,
Marc Lampo
Security Officer
EURid (for .e
s not
easy ...)
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
-Original Message-
...
(Also, if you want to switch to NSEC instead of NSEC3, you can use
'rndc signing -nsec3param none'.)
--
Evan Hunt -- e...@isc.org
Internet Sys
s,
if the signatures are simply ignored.
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
-Original Message-
From: michoski [mailto:micho...@cisco.com]
Sent: 24 February 2012 06:01 AM
To: vinny_abe...@dell.com; kob6...@gmail.com; ma...@isc.org
Cc: bind-us...@isc.org
Subject:
ather than "fractions of seconds")
I strongly advice not to forward to external, caching name servers.
Or, if you do, also enable DNSSEC validation
(and forward to an external name server that is at least "DNSSEC aware"
- 8.8.8.8 is not, searches for DS records in the wrong pla
o 3 hours - with built-in, not changeable, max of 7
days)
and
max-cache-ttl : max positive cache time
(defaults to 7 days)
(other values that can be "corrected" are max and min refresh and retry
times,
thus protecting a slave server from "unreasonable" values sent by the
m
Hello,
To be precise :
bind.odvr.dns-oarc.net. validates
but seems to ignore expired (but otherwise valid) signatures.
unbound.odvr.dns-oarc.net. validates without ignoring expired signatures.
Kind regards,
Marc Lampo
Security Officer
EURid vzw/asbl
-Original Message-
From: Spain
struct
sockaddr_in6" (see ) where the sockaddr address is broken down
into a port number, IPv6 flow information, an IPv6 address, and a scope ID.
--
Marc Majka
On 13 Jan, 2012, at 08:59, Martin McCormick wrote:
> I am experimenting with getaddrinfo and getnameinfo and have
> gotten
ll, have not found yet were Bind 9 shows this ?)
Morale : referral in parent should be identical to (or be a subset) of NS
records at domain level.
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
-Original Message-
From: MontyRee [mailto:chulm...@hotmail.com]
Sent: 12 January 2012
ready for DNSSEC,
there will be less and less demand for DLV (didnt I see a message stating
end-of-life ?).
Hope this is somehow helpful
if only to state that you should not expect AD-bit set from name servers
in the authoritative role.
Kind regards,
Marc Lampo
Security Officer
EURid
r "thaw" and "unthaw" zone files - it has been experienced this
triggers
"smart signing" into recalculating (but double check !)
4) Although DNSSEC key's do not expire, do change them regularly :
2-3 months for ZSK's,
1-2 years for KSK's.
Kind
4096 : so the server returns most of
EDNS0 info in the query,
but replaces the UDP payload size by what it accepts itself.
(cfr recent posting of Mark Andrews in IETF dnsext mailing list about
finding this out)
Kind regards,
Marc Lampo
Security Officer
EURid
From: Gaurav Kansal
for the DS of
subdomain.domain.com.
do you get a proper reply with AD bit set ?
(no idea yet about the www.subdomain.domain.com observations)
Kind regards,
Marc
-Original Message-
From: Sergio Charpinel Jr. [mailto:sergiocharpi...@gmail.com]
Sent: 05 October 2011 02:22 PM
To: Marc Lamp
y,
but I'd check if domain.com. itself is properly signed.
Kind regards,
Marc Lampo
-Original Message-
From: Sergio Charpinel Jr. [mailto:sergiocharpi...@gmail.com]
Sent: 05 October 2011 01:57 PM
To: bind-users@lists.isc.org
Subject: DNSSEC SERVFAIL when parent zone has no DS record
Hi
.
Kind regards,
Marc Lampo
Security Officer
EURid
From: McConville, Kevin [mailto:kmcconvi...@albany.edu]
Sent: 04 October 2011 09:10 PM
To: bind-users@lists.isc.org
Subject: DNSSEC Signing & Key Questions
Im new to this list, so please bear with me if these are/seem like
newbie quest
forget to have your caching NS validate DNSSEC answers,
because providing signatures that are ignored by clients
makes the Internet *less* safe)
Kind regards,
Marc Lampo
Security Officer
EURid
-Original Message-
From: Brad Bendily [mailto:brad.bend...@la.gov]
Sent: 27 September 20
Hello,
Do add "forward only;" to this zone statement.
Is this name server available/visible to the Internet ?
--> add "allow-query" statement to limit who can query for your internal
zone.
Kind regards,
Marc Lampo
Security Officer
EURid
-Original Message---
your
root zone ?
Kind regards,
Marc Lampo
-Original Message-
From: Tom Schmitt [mailto:tomschm...@gmx.de]
Sent: 30 August 2011 01:57 PM
To: bind-users
Subject: what does dig +trace do?
Hi,
I have a question: What does dig +trace exactly do?
The reason for my question is:
I have a interna
n the cache.
With that behaviour, it are the (validating) user of that
caching name server that will encounter problems.
I'm unsure this is desirable behaviour,
which I wanted to bring to attention.
Kind regards,
Marc Lampo
-Original Message-
From: Paul Wouters [mailto:p...@xel
g the first one, yields SERVFAIL ...
If I overlooked something obvious,
sorry for the interrupt (but thanks for sending clarifying references).
Thanks and kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
marc.la...@eurid.eu
http
that using MS DNS as validating caching name server is
pointless,
as the root uses algorithm 8 and domains with unknown algorithms are
treated as "unsigned".
--> for MS DNS, the chain-of-trust breaks right at the top level, not ?
Kind regards,
Marc Lampo
EURid
Security Officer
-Ori
*temporary* solution, until the remote side DNS administrators get
their thing fixed !!!
Kind regards,
Marc Lampo
Security Officer
EURid vzw/asbl
-Original Message-
From: Dodson, Ron [mailto:ron.dod...@lmco.com]
Sent: 04 August 2011 05:47 PM
To: bind-users@lists.isc.org
Subject: Is th
root. The local caching name server is the only one to know those "new"
root's.)
Kind regards,
Marc Lampo
-Original Message-
From: Feng He [mailto:short...@gmail.com]
Sent: 19 July 2011 07:54 AM
To: Marc Lampo
Cc: bind-users@lists.isc.org
Subject: Re: about the dig
at
I guess not, since "it" does not work ;-)
After deleting all entries, did you :
1) dig @dns.name. ...
or
2) dig @IP.address
or
3) No "@..." argument used at all ?
In cases 1 & 3, dig will need data from /etc/resolv.conf.
Only in case 2 dig can do without.
K
also using this ?
Kind regards,
Marc Lampo
Security Officer
EURid
-Original Message-
From: Stefan Foerster [mailto:c...@incertum.net]
Sent: 29 June 2011 10:57 PM
To: bind-us...@isc.org
Subject: Single nameserver doesn't show signed SOA-RRs
Hello world,
I'm having a proble
Yes, this is a setup I tested (with Bind as name server).
You would be getting answers, not with the AD bit set.
Kind regards,
Marc Lampo
-Original Message-
From: Carlos Vicente [mailto:cvicente.li...@gmail.com]
Sent: 20 May 2011 07:53 PM
To: Marc Lampo
Cc: bind-users@lists.isc.org
SEC2.pdf,
combine info on pages 15+16 (bogus NS) and 17+18 (forwarding NS)
)
Kind regards,
Marc Lampo
Security Officer
EURid
-Original Message-
From: Matthew Pounsett [mailto:m...@conundrum.com]
Sent: 20 May 2011 06:49 AM
To: Carlos Vicente
Cc: bind-users@lists.isc.org
Subject: Re:
lates the keyid and ended up with a value 3 higher
then the one of the key in the child.
But now, the same keyid is in the child zone and in the DS-record at the
parent.
And I still have authenticated (AD-bit) answers)
Kind regards,
Marc
-Original Message-
From: 'Stephane Bortzme
So far - no SHA-2 records. Only DS records with SHA-1.
I'll add DS records with SHA-2 and try again ...
So the "error" of the mismatched must be in the SHA-2 DS records ?
And *not* in the SHA-1's ? Or in both ?
Kind regards,
Marc
-Original Message-
From:
et.
All name servers in this environment are 9.7.2-P3, by the way.
The correct DS was referring to algorithm 5,
the wrong DS to algorithm 8 (the corresponding algorithm in the DNSKEY
record was 5)
Kind regards,
Marc
-Original Message-
From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr]
) signal this (Bind does).
Hope this helps.
Kind regards,
Marc Lampo
Security Officer
EURid vzw/asbl
From: hugo hugoo [mailto:hugo...@hotmail.com]
Sent: 04 May 2011 09:56 AM
To: marc.la...@eurid.eu; bind-users@lists.isc.org
Subject: RE: how to check if a slave zone is expired
Marc
helpdesk to get this corrected.
Kind regards,
Marc Lampo
EURid vzw/asbl
Security Officer
From: hugo hugoo [mailto:hugo...@hotmail.com]
Sent: 04 May 2011 08:53 AM
To: bind-users@lists.isc.org
Subject: how to check if a slave zone is expired
Dear all,
Is there a way to check that
style - attacks glue (A) records anyway
(not CNAME's).
Recommendation :
If you need to refer to other zones (webhosting, "email-in-the-cloud"),
*insist* that they as well implement DNSSEC for their zones !
Kind regards,
Marc Lampo
Security Officer for EURid vzw/asbl
-Original Me
he servers mentioned in the configuration I posted are
both authoritative for the zones that they're query for _and_ willing
to recurse for my bind if it asked them a recursive query. Which it
doesn't in the "forward" setup, it jus
n-addr.arpa level, or somewhere above that, explicitly, or
> so-called "global forwarding" defined in the "options" clause.
Global forwarders. So they would take precedence over the locally
available delegations for the stub zone?
Greetings
Marc
--
-
OMAIN
without bind even trying to talk to the actual name server.
I can ping 10.1.101.6 just fine.
I must admit that I haven't yet full understood the difference between
a stub zone and a forward zone, any why i need the forwarders { } on
the stub zon
he zone) at that server, thus bypassing
the bad NS rrset.
Then, what is the different between "static-stub" and "a forwarding zone"
?
Kind regards,
Marc
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
)
Kind regards,
Marc Lampo
From: hugo hugoo [mailto:hugo...@hotmail.com]
Sent: 22 February 2011 12:00 PM
To: bind-users@lists.isc.org
Subject: bind and IPV6
Dear all,
In the scope of the IPV6 deployment, I have been asked if oiyr DNS servers
are IPV6 compliant.
We are now upgradi
re working with the registrar,
You can also consult help pages on EURid.eu website, accessible to
registrars only)
Kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
TEL.: +32 (0) 2 401 3030
MOB.:+32 (0)476 984 391
marc.la.
me
server,
even regardless if the bogus name server is DNSSEC aware or not.
Kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
marc.la...@eurid.eu
http://www.eurid.eu
___
bind-user
in the RFC
do apply to expired RRSIG's in the cache.
Thanks and kind regards,
Marc Lampo
EURid
-Original Message-
From: Florian Weimer [mailto:fwei...@bfk.de]
Sent: 03 January 2011 10:22 AM
To: Marc Lampo
Cc: bind-users@lists.isc.org
Subject: Re: caching of expired RRSIG's ?
*
f the entire answer.
Thanks and kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
TEL.: +32 (0) 2 401 3030
MOB.:+32 (0)476 984 391
marc.la...@eurid.eu
http://www.eurid.eu
Want a .eu web address in your own langua
(I didn't find any -
RFC5155 states the new algorithms - 6 and 7 - *must* be used when NSEC3
is used,
But not a word - unless I overlooked it - about using algorithm 7 and
yet, NSEC ...)
Looking forward to your comments.
Kind regards,
Marc Lampo
Security Officer
EURid
Wo
the TTL into account ?
(so that it does not resign later then "present expiration" - "TTL")
Or is this irrelevant because the answer to earlier question
is that an expired RRSIG in the cache must be refreshed.
Thanks and kind regards,
Marc Lampo
Security Off
DN to your internal
server.
The fact that, on the internal server, that FQDN might itself not be a
delegated name (no NS records)
is of no relevance to the partner name server.
Hope this helps.
Kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem -
e : "unexplored
fields" ?
While this gets sorted out, be careful when adding DNSSEC validation to
forwarding name servers :
only if the caching name server(s), to which queries are forwarded, are
DNSSEC aware themselves
will the combination "forwarding" + "validating
ional setting of the
revocation bit is generally considered as best practice ?
This, in my opinion, adds more complexity for the administrator of DNSSEC zones.
Isn't it enough to use the revoke bit only in case of an actual/suspected
compromise ?
Your comments are welcome !
Kind regards,
Hello,
You can ask them to run this:
dig -t txt -c chaos VERSION.BIND @
or my be you are lucky and this web is usefull for you:
http://www.howismydns.com/tools.php
good luck.
Joan Marc Riera Duocastella
Barcelona Media - Centre d'Innovació
Av. Diagonal, 177, planta 9 08018 - BARC
update {update_log; };
category update-security {update_log; };
category notify {notify_log; };
category queries {query_log; };
category lame-servers { null; };
};
Thanks to all of you.
Joan Marc Riera Duocastella
Barcelona Media - Centre d'Innovació
Av. Diagonal,
ia.org.
mailman IN MX 10 mailman.barcelonamedia.org.
;### IPs Externas a Zona FBM ###
2020IN A 217.116.20.166
awebmailIN A 217.14.38.81
graficosIN A 193.145.44.102
Thanks for reading.
[cid:image001.gif@01CA5D35.9D6CBF00]
Joan Marc Rier
Hello,
we have some troubles with restart and stop.
bind does not stop and I think it's because of a wrong kill argument on
the stop) case.
I think that the kill -0 $PID should be something else, is it possible?
Many thanks
Marc
From /etc/init.d/bind9:
stop)
#here i erase
99 matches
Mail list logo
