RE: Slow zone signing with ECDSA

> Install and run haveged... The problem is your system doesn't have enough > entropy This was clearly the problem. I built a new test server with haveged installed, and the bind9 completed ECDSAP256SHA256 signing in 5 seconds. I used 9.11.1 this time since it was just released today. _

RE: Slow zone signing with ECDSA

> Install and run haveged... The problem is your system doesn't have enough > entropy in the processor or maybe it's a VM but either way there is not > enough entropy to produce random seeds which is why it is taking so long. Thanks, David. The system is a Microsoft Azure VM. I assumed that whil

Slow zone signing with ECDSA

I'm testing a bind9 v11.1.0-P5 server signing 8 small zones de novo with ECDSAP256SHA256. The process takes about 12 hours to complete vs. signing with RSASHA256, which is almost immediate, but signing is ultimately successful. The server is running Ubuntu 16.04 LTS with current patches. I don't

RE: BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

>> Based on a Microsoft tech support case that I opened, the only way to fix >> this was to turn off EDNS ("dnscmd /config /EnableEDnsProbes 0"). >> This also seems to have been fixed in Windows Server 2012. > What a bummer, this essentially stops anyone from using DNSSEC validation > correctly

RE: BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

> Perhaps someone who has a Windows 2008 R2 domain can go ahead and confirm > this, but so far the only way I can see to mitigate this issue is either: > 1. Disable EDNS on Windows 2008 R2 (which essentially disables the ability to > accept DNSSEC based responses) or 2. Disable DNSSEC support in

RE: BIND9 SERVFAIL Issue with Windows 2008 R2 DNS Server

> Looking at this further, it appears when EDNS is turned on in the Windows > 2008 R2 DNS server (default, accepting DNSSEC responses), resolution fails > occasionally with a SERVFAIL when NODATA is returned to BIND (i.e. 0 answers > with a status code of NOERROR.) I'm using Windows Server 2012

RE: Bind 9.9.3 configuration message: missing 'file' entry

>> The brackets were wrong and we should have checked that obj was true. > The patch you provided makes the log message go away. The bind9 service > appears to be working normally, and named-checkconf produces no output. > Thanks. Jeff. FYI. The patch for /lib/bind9/check.c provided earlier in

RE: Bind 9.9.3 configuration message: missing 'file' entry

> The brackets were wrong and we should have checked that obj was true. The patch you provided makes the log message go away. The bind9 service appears to be working normally, and named-checkconf produces no output. Thanks. Jeff. ___ Please visit https

RE: Bind 9.9.3 configuration message: missing 'file' entry

> Have you looked carefuly enough, and to the correct file if there is no > missed character that makes the configuration invalid? > Have you run named-checkconf with and without the given file as parameter? The log message is new since bind-9.9.2-P2 with no changes to the configuration files. T

Bind 9.9.3 configuration message: missing 'file' entry

For bind 9.9.3 build on Ubuntu 12.04LTS x64, I see log messages, for example, "/etc/bind/named.conf.local:4: zone 'jaspain.biz': missing 'file' entry" for each slave zone configured for inline signing. The file clause is, in fact, present in the configuration file, for example: zone "jaspain.biz

RE: Building from source and running in chroot environment

> Are there relatively recent instructions on how to build BIND from source and > run it in a chroot environment? It sounds obvious but everything I've come > across assumes BIND is provided by some package manager or included with the > operating system. I'd like to build the latest version of

RE: key rollover with BIND 9.9

> What are other people using to automate key rollovers with 9.9? Michael: I automated mine by generating a set of 9 ZSKs and 2 KSKs for each zone in advance, setting the timing metadata to achieve a 90-day prepublication rollover cycle for the ZSKs and a 720-day rollover cycle for the KSKs. Onc

RE: How to Download and Install Nsupdate from BIND 9 Package

> Please tell me how to download and install Nsupdate from BIND 9 to run on an > Windows XP client?   1. Download http://ftp.isc.org/isc/bind9/9.9.1-P3/BIND9.9.1-P3.zip. 2. Expand the archive and run BINDInstall.exe. 3. Verify and change the target directory according to your preference. 4. Check

RE: Problem with DNSSEC signing zone

> all this step has been well done, but the last step: > Generate DS records and provide them to your registrar. > has not been fluent for me. I found how can i provide key to the registrar i > used this command: > dnssec-dsfromkey -2 Kwillzik.co.uk KSK.key  "is it the good way to do?" That comma

RE: Problem with DNSSEC signing zone

> 1. Generated KSK and ZSK > 2.Add both of keys at the end of my zone file > 3.signing my zone with dnssec-signzone command > 4.enable dnssec in named options > 5.change the name of my zone in the named by namezone.signed > 6.I got the root DNSKEY RR set before with dig comm

RE: Listen-On and Ipv6

> If no listen-on statement is included, will requests be processed and > logged? >From Bv9ARM, p. 68: "If no listen-on is specified, the server will listen on >port 53 on all IPv4 interfaces." A client could query a quad-A or any other >record using IPv4 network transport, and that would

RE: Seeking Advice on DNSSEC Algorithm Rollover

>> My experience with changing the timing metadata or removing the key >> files is that named issues a warning like the following: zone /IN: >> Key // missing or inactive and has no >> replacement: retaining signatures. In this circumstance none of the >> RRSIGs or NSECs are removed. They sit the

RE: Seeking Advice on DNSSEC Algorithm Rollover

I propose the following addition to the Bv9ARM, and request review and comment by the experts on this list. -- 4.9.14 DNSKEY Algorithm Rollover >From time to time new digital signature algorithms with improved security are >introduced, and it may be desirable for administrators to roll

RE: Seeking Advice on DNSSEC Algorithm Rollover

>> I discovered that if there was not at least one KSK and ZSK of the same >> algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life >> of one year and ZSK of one month, effectively to roll a key algorithm and >> without forcing the roll-over by removing all the old key/algor

RE: Seeking Advice on DNSSEC Algorithm Rollover

> I discovered that if there was not at least one KSK and ZSK of the same > algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life of > one year and ZSK of one month, effectively to roll a key algorithm and > without forcing the roll-over by removing all the old key/algorithm

RE: Seeking Advice on DNSSEC Algorithm Rollover

> I don't think that bind trying to sign with non-existent key will do any harm > - probably just warning. > But it's simpler - change metadata of the key - set deletion time to the time > you want the key to be deleted (like DS deletion time+TTL). > Bind with auto-dnnsec allow re-reads the metad

Seeking Advice on DNSSEC Algorithm Rollover

I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but section 4.9 presents some clues. I'd like to ask the experts on this list if the following procedure might accomplish an algorithm rollover cleanly

RE: Understanding cause of DNS format error (FORMERR)

> I'm a BIND novice and I'm trying to understand what causes my BIND9 resolver > (bind97-9.7.0-10.P2) to return an error when queried for the A record of > vlasext.partners.extranet.microsoft.com: FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system "dig

RE: Verify raw data within slaves on 9.9.x

> However - I guess its a little less efficient than the new default 'raw' > mode, especially for large zones. Consider a change of approach and if its > just an automated check - try 'dig'? I'm finding with in-line signing that > zones are often spread about in journal files - which makes optio

RE: Verify raw data within slaves on 9.9.x

> Would an option be to do a dig axfr on the zone? That works if "allow-transfer" is set appropriately. It gives you the zone data in canonical rather than relative format. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsu

RE: Verify raw data within slaves on 9.9.x

> What tools/commands I can run to get plain ascii/text data out of modern > raw/binary on BIND 9.9.x slaves? > I just want to verify that changes are correct down to the slaves. So - I can > check-in these changes into svn etc. See the ARM under named-checkzone. http://ftp.isc.org/isc/bind9/cu

RE: Bind 9.9.x inline signing

> I didn't like the fact that the unsigned serial (which I manage) was lower > than that of the signed zone. Making it bigger than the signed zones version > appears to have gotten the zones back in sync - however the slave is still > not getting any Notifies (and has not yet caught up). With "

RE: Bind 9.9.x operation with dnssec

> With "auto-dnssec maintain", I expect the Zone Signing Keys and the > individual RRSIGs to be completely managed and rotated as needed by bind, per > https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html and the Admin Reference, however, at the end of 4.9.7, it sa

RE: different between views and having multiple instances

>> I need to understand the difference between configuring bind views and >> having multiple instances of bind. I have 5 network interfaces on my >> server and I want to have 2 instances of DNS server (just for testing) >> and I don't know which one to do ? > BIND views are powerful, but config

RE: Bind9.9.1 Dependences

> How can I find out which Unix files/libraries bind requires before I do the > compile? I have successfully built Bind 9.9.1 on Ubuntu 12.04 LTS (Precise Pangolin). Since Ubuntu comes with a previous version of the Bind 9 utilities installed, I uninstall the following packages: apt-get purge b

RE: Bind 9 configuration

> (I hope that it's fine to ask about issues connected with the previous > version of bind.) Bind9 has its own listserv at bind-users@lists.isc.org. There are many DNS experts available there. > Could you confirm that my settings are correct? > I'm using this guide (my configuration scenario is

RE: Multiple zones with single key pair

> Multiple zones with a single key - is possible with BIND ? There was a recent discussion on this topic. See thread beginning at https://lists.isc.org/pipermail/bind-users/2012-April/087481.html. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School

RE: How does a child find its parent?

> Reading the section on delegation in the O'Reilly book, I'm confused about > something: The parent is configured to delegate the subdomain to the child > with glue records, etc. But how does the child know who to ask if a host in > the > subdomain requests a record in the parent zone? They don't

RE: Help for

> 1. In down level Windows, everything is OK. > 2. In upper level dns(bind), ns record, and A record of nameserver is fine. > 3. But A record in WIndows Server can not resolved by upper level BIND. > I think maybe I have to do something in my windows server to "connect" > windows with linux bind?

RE: Inline Signing does not update SOA?

> When I update the SOA record of the master zone file, if I reload the zone > with "rndc reload", the SOA record is updated. If I perform a stop/start of > the named executable, the SOA change is not updated. Ralph: There was a lot of discussion about this issue on the bind forum around the fi

RE: Question about KSK

> We are authoritative for a few dozen small zones. Is it possible to use the > same KSK for all of them? I can see where if it gets compromised we would > need to resign all zones using the KSK at once. How much effort would I be > saving sharing the KSK? My sense is that you would be creat

RE: DNSSEC Generating Zone Key hanging

> I was setting up BIND DNSSEC and when I issue the following command the > process never finishes. > dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dn

RE: testing validation

> Though I am still curious about this from the end of sigchase output: > Launch a query to find a RRset of type DS for zone: . > ;; NO ANSWERS: no more > ;; WARNING There is no DS for the zone: . > Isn't the "DS for the zone: ." what the "managed-keys" clause provides? Now I think I see what you

RE: testing validation

> Why would 149.20.64.20 return ad then? It's not authoritative either... As I understand it, you need a dnssec-enabled recursive resolver to get an AD flag returned. An authoritative-only server will never return an AD flag. Jeff. ___ Please visit htt

RE: testing validation

> Isn't the "DS for the zone: ." what the "managed-keys" clause provides? > Though putting it back in didn't make the warning go away, so I must be > missing something else here... Any difference with dnssec-validation auto and removing the managed-keys and root hint zone? Jeff.

RE: testing validation

Alan: Comments on your configuration file: I believe that managed-keys... and zone "." { type hint... are built into bind 9.9.0 recursive resolvers and therefore not needed. You can enable the built in root trust anchor by changing dnssec-validation from yes to auto. I think that listen-on { 12

RE: testing validation

> I'm testing out dnssec with bind 9.9.0's auto signing and a test domain; this > appears to be working (see below, RRSIG records returned from the actual > nameserver), however and attempt to validate fails with: > # dig +dnssec +sigchase soa raindrop.us > When I simply try to validate the root:

RE: fermat primes and dnssec-keygen bug?

> There's quite a bit about choosing e in this presentation: > http://www.esiea-recherche.eu/Slides09/slides_iAWACS09_Erra-Grenier_How-to-compute-RSA-keys.pdf > However, I don't understand the math, so I can't say whether any of the > advice is reasonable :( Interesting document, although I'm no

RE: fermat primes and dnssec-keygen bug?

> Well, go argue with Adam Langly in the bug report I submitted (and Paul > quoted in this thread). You're making an argumentum ad verecundiam, which I can't reasonably pursue. In the bug report (http://code.google.com/p/go/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Status%20Stars%20Pr

RE: fermat primes and dnssec-keygen bug?

> Its not about integer overflow, it's about the fact that F5 does not add to > the security, but does use up a lot of CPU cycles. I'd like to study this issue more. Would you please provide a reference that discusses your assertion that using an F5 public exponent does not add to the security

RE: fermat primes and dnssec-keygen bug?

> I would recommend that dnssec-keygen starts ignoring the "-e" parameter that > everyone has put in their scripts to prevent exponent 3 keys, who are not > getting keys with exponent 4294967296 + 1 (F5) > Alternatively, if this is done on purpose, I guess we should all migrate the > 64 bit mac

RE: DKIM in TXT record

> What is the proper format to write a DKIM TXT? There seems to be quite a bit of information about this available via Google search. Here's one reference I found that gives some step-by-step instructions: Creating DKIM TXT Records in Linux/UNIX Bind http://forum.unifiedemail.net/default.aspx?g=p

RE: reverse dns for IPV6 ranges

> But if only some IP have e reverse..what about the other server who have > received an IP in the range? Ip that can be changed every x hours. > IF no reverse, it can be blacklisted for some reasons or having some problems > with services asking a reverse dns resolution. In my ip6.arpa zone, al

RE: A question for the reference

I tested this by capturing network traffic on a bind 9.9.0 recursive resolver. The commands 'rndc flush' followed by 'dig @localhost funnygamesite.com' resulted in the following: 1. A query to m.gtld-servers.net. 2. The same referral response that you got below. 3. A follow-up query 500 microseco

bind9.9.0 named-checkzone usage message

root@ns0s:~ # named-checkzone usage: named-checkzone [-djqvD] [-c class] [-f inputformat] [-F outputformat] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-m (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i (full|full-sibling|local|local-sibling|none)] [-M (ignore|

RE: reverse dns for IPV6 ranges

> Can anyone help me with  its experience on reverse dns for IPV6? > Presently, when we reverse an IPV4 subnet for clients, we configure all the > reverse for the whole subnet. > It is a lot of PTR's but perfectly manageable. > With IPV6,  the number of IP's that we will receive is amazing > S

RE: BIND 9.9.0 Inline-Signing Out of Control

> We thought of two other differences between this zone and the others: > 1. this zone has NS records with servers that are in the zone itself, and 2. > our global "also-notify" option contain IP addresses that resolve to host > names in this zone. I don't have a handle on the underlying proble

RE: RFC 6303 and bind 9.9.0

> Didn't the answer to the NS query include the addresses in the Additional > Section? It does when I perform the query manually. It gets cut off with > the default packet size, but if EDNS0 is used it will include them all. The addresses are included in the additional section. Missed that ear

RE: RFC 6303 and bind 9.9.0

>> No, it requires a rebuild after changing lib/dns/rootns.c. But using a >> mildly out-of-date hints file is usually harmless - it is only a *hint*. > Right. One of the first things BIND does after starting up is query one of > the root servers to get the current set of root servers. Thanks. T

RE: RFC 6303 and bind 9.9.0

>> If the root hints are updated on ftp://rs.internic.net/domain/, would >> it require a new build of bind to incorporate them, or is bind able to >> update its built-in root hints by some other means? > No, it requires a rebuild after changing lib/dns/rootns.c. But using a mildly > out-of-date

RE: RFC 6303 and bind 9.9.0

> In my named.conf I have set up empty zones for the whole of 240/4. I view RFC > 6303 as the minimum necessary for a hygienic name server, but there are a > number of other permanent bogon address ranges which it makes sense to stub > out locally. Would you please elaborate on how you are mana

RE: RFC 6303 and bind 9.9.0

>> Just for clarification, do I understand correctly that if none of the >> empty zones described in RFC 6303 are set up explicitly in the bind >> 9.9.0 configuration file, then bind 9.9.0 will process them as such >> anyway using built-in generic zone processing rules? > Yes. To expand a bit

RE: RFC 6303 and bind 9.9.0

>> Changing the second line ('@ 10800 IN NS @') to '@ 10800 IN NS localhost.' >> eliminates the errors. > The built in empty zone processing is aware of the special case of NS records > without address records. The generic zone processing rules treat this as a > error condition. Just for clari

RFC 6303 and bind 9.9.0

I reviewed RFC 6303, which recommends configuring a number of zones using an empty zone file as follows: @ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800 @ 10800 IN NS @ In bind 9.9.0 this results in errors for each zone referring to the empty zone file as follows: Feb 29 19:24:30 ns0s

bind9.9.0rc4 rndc retransfer appears to be fixed

> With the properly patched bind 9.9.0rc3 running, 'rndc retransfer > jaspain.biz' generated no output, presumably indicating success. > The log showed some related error messages, however... > Seems like it is confusing the serial numbers of the signed and unsigned > zones. I installed the bi

RE: bind 9.9.0rc3 inline signing server not updating unsigned zone

Mark: Your patch version 3 is included below to confirm that this is the correct one. Initially the patch didn't work properly due to a missing line break before "@@ -5993,6 +5994,12 @@". I fixed that and ran the bind9.9.0rc3 installation again. A manual inspection of server.c afterwards indicat

RE: bind 9.9.0rc3 inline signing server not updating unsigned zone

> Ok. The retransfer code needs to look at the unsigned zone rather than the > signed one which should fix the not found issue. The following should fix > the issue. It compiles but otherwise has not been tested. Thanks, I will try it and get back to you with the result. > As to soa refresh

RE: bind public/private domain question

> I'm looking for advice on an issue.  I have a publicly registered domain > which we also use internally.  I have bind configured as a caching DNS > server.  Bind is configured to use four other Windows DNS servers as > forwarders for the domain.  Bind should be using the root servers for > an

bind 9.9.0rc3 inline signing server not updating unsigned zone

The configuration below is for a bind 9.9.0rc3 server named nsb0s providing inline signing service for a hidden master nsb0 and slaves nsb1 and nsb2. The latter three are running bind10-devel-20120119. Nsb1 and nsb2 are also known as ns1.jaspain.net and ns2.jaspain.net. In an effort to test the

RE: Query Regarding NSEC RR in DNSSEC

> We have a Authenticated Response in DNSSEC through trust chain. > Now my question is why we itself need a NSEC when we get response from DNSSEC > enabled server authentically. > Means, if a Record exist in DNSSEC, then it replies the answer along with > RRSIG of that RR. > AND if domain doesn

RE: dig -- only RRSIG present.

>> Ok, thanks a lot. I thought it was a client process. Now I can query >> for the DS, DNSKEY records from isc.org. >> Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind >> has such a caching program? Do we have a DNSSEC capable resolver in BIND? > Bind *is* a caching program.

RE: dig -- only RRSIG present.

>> Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec You should >> get an AD flag returned and a variety of RRSIG records. Jeff. > I hope I'm not missing any concepts here, but there should be a public key to > verify the RRSIG, where's that? Shouldn't the server return additional DNSKE

RE: dig -- only RRSIG present.

> Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC > capable domain; infact this server has issues - > dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net. > I'd be really happy if I could get some domains which are signed. Try this one: dig @bind.odvr.dns-oarc.net. isc.org

RE: dig -- only RRSIG present.

> But another question remains, where's the DNSKEY record which's the missing > link as of the current time. > Querying -- > dig +dnssec -t DNSKEY yahoo.com @198.41.0.4 > Does not return anything. I think that yahoo.com is probably not a DNSSEC-signed zone and so has no DNSKEY records. Otherwise

RE: dig -- only RRSIG present.

> As Tony Finch pointed out to me a few days ago, the Google public servers > don't understand that fact about DS records, and don't know to ask for them > in the parent. But here's something interesting - as of my testing just now, > they *do* respond with DS records This thread has been kind

RE: State diagram for DNSsec key lifecycle

>>> I recommend "activate" + "publish" at the same time. >> I'd appreciate knowing your reasoning for preferring this > You are going from unsigned to signed. There is no benefit in publishing, > waiting then activating. The IETF draft "DNSSEC Key Timing Considerations" (http://tools.ietf.org/h

RE: Getting a formerr 'invalid response' for winqual.microsoft.com. but dig +trace works.

> It's because a few load balancer vendors don't read freely available > specifications but instead appear to reverse engineer the protocol and get it > wrong. > BIND 9.7.0 fixed a long standing of accepting glue promoted to answer by > parent nameservers. Once we did that there was no need to

RE: State diagram for DNSsec key lifecycle

> Please comment on this state diagram: > https://www.chaos1.de/svn-public/repos/network-tools/DNSsec/trunk/dnssec_key_states.pdf For greater clarity, I suggest that for the state transitions (captions on the arrows), you refer specifically to the four metadata timestamps that are present in the

RE: How to validate DNSSEC signed record with dig?

William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather than explicitly signing the zone with dnssec-signzone. I believe I recall that you are using bind 9.8, so this should work for you as well. Here's something you can try: In your bind configuration use the following zone

RE: How to validate DNSSEC signed record with dig?

> dnssec-signzone: fatal: key myKSK.key not at origin What are the contents of myKSK.key? The format is "mydomain.com. IN DNSKEY ..." where mydomain.com is the domain origin. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Plea

RE: Windows 2008 R2 validating DNSSEC resolvers

> I know this is a bind list, but does anyone know any public information about > when/if Microsoft is going to release a SHA2 compatible DNS server so it can > be used as a validating DNSSEC resolver without forwarders? Since the root > trust anchor is published in SHA2, currently it can't be u

RE: zone serial (0) unchanged. zone may fail to transfer to slaves.

>> Feb 4 15:53:46 nsb0s named[9090]: zone jspain.us/IN (signed): zone serial >> (2012013003) unchanged. zone may fail to transfer to slaves. > I suspect that is is benign. Had you just thawed the server/zone? After a review of the logs over the past several days, I see that this message occurr

RE: zone serial (0) unchanged. zone may fail to transfer to slaves.

>> named (BIND 9.7.4-P1) >> err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone >> 127.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail >> to transfer to slaves. > Ignore it. The message is suppressed in the next maintence release. I see similar messages in 9.9.0rc

RE: How to validate DNSSEC signed record with dig?

> I am trying to validate DNSSEC signature on ns record using dig. > Domain nox.su is properly signed using DNSSEC. > I am trying to validate it as dicribed here: > http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/ > $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trus

9.9.0rc2 Windows Installer Tools Only Installation Issues

The BIND9.9.0rc2.zip Windows installer allows for a "Tools Only" installation. With this you can avoid having to enter the service account information that will not be needed. However, the only tools you get are dig.exe, nslookup.exe, and a couple of others. It would be nice to also include dns

RE: Recovering from over enthusiastic key cleanup...

> So, is there: > A: an easy way to figure out what keyfiles are no longer being used / > referenced? > B: a simpler way to recover from this when one *does* make a boo boo? What a fun evening. For the sake of interest, which version of bind is in use? With regard to item A, how about executing

RE: trying DNSSEC with 9.9-rc1

> Any suggestions, folks? What am I not understanding? Michael: To determine why there is no DNSSEC information being returned by your dig query, consider the following: What are the timestamps in your key metadata? Are they currently published and active? nstest/etc/namedb/keys;dnssec-settime

Bind 9.9rc2 notification gone wild

>> I can install bind 9.9.0rc2 tomorrow and test with both nsupdate and >> rndc reload. I would also like to test DNSSEC automatic key rollover >> with inline signing again. I imagine this will be fixed in rc2, given >> the success of the patch you provided earlier. My next ZSK activation >> da

RE: Permissions change after running dnssec-settime bind 9.9.0rc2

>> Now the private key is inaccessible to the named process, which is >> running as user bind. User bind is a member of group bind. > Any time a private key file is rewritten, the mode is changed to 600. > There's no rule that it has to be owned by root, though; could you just chown > it to user

Permissions change after running dnssec-settime bind 9.9.0rc2

I ran dnssec-settime from bind 9.9.0rc2 today to change the metadata on two of my ZSKs. Before running dnssec-settime, using one of these keys as an example, the file permissions were: -rw-r--r-- 1 root bind 535 2012-01-31 11:47 Kjaspain.us.+005+30795.key -rw-r- 1 root bind 1058 2012-01-3

RE: bind9.9.0rc2 inline signing tests

> Hostnames can't begin with a hyphen (RFC 952). Domain names can start with > anything. I guess that makes the syntax "rndc sync [-clean] [zone [class [view]]]" unavoidably ambiguous. Maybe a way around this would be a new command "rndc clean [zone [class [view]]]". Jeffry A. Spain Network A

RE: bind9.9.0rc2 inline signing tests

>> 2. Prior to the second test, in an attempt to get rid of the journal >> files, I issued the command "rndc sync -clear jaspain.net". This >> generated an error "rndc: 'sync' failed: unknown class/type. I found >> that "rndc sync" and "rndc sync jaspain.net" both worked, so I think >> rndc jus

RE: bind9.9.0rc2 inline signing tests

> It's supposed to be rndc sync -clean, not -clear. I thought we'd fixed that, > darn it... Thanks. "rndc sync -clean jaspain.net" works and does remove the journal files. Jeff ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsu

bind9.9.0rc2 inline signing tests

I compiled and installed bind 9.9.0 rc2 on Ubuntu Oneiric x64. The zone jaspain.net used for testing was configured as a master zone with update-policy local, auto-dnssec maintain, and inline-signing yes. I tested by making changes to the unsigned zone, and used named-checkzone to output the uns

RE: bind 9.9 & inline-signing issue..

> I suspect that something was wrong with the unsigned zone, 'rndc reload' > failed to catch the problem, and so the zone got itself into a weird state. > The exact circumstance in which I've seen this happen involved a failure to > update the SOA serial, but there may be other triggers for it a

RE: bind 9.9 & inline-signing issue..

> After setting up a zone with DNSSEC using inline-signing, I have run into the > issue where if I do anything that updates the unsigned file that is input > into BIND, that it never seems to update the signed data it generated. > As an example, I had serial number of 2012012701 in the test zone

RE: Extracting key tag from DNSKEY

> Can I extract the key tag from a DNSKEY, obtained via dig? Try the following: dig @bind.odvr.dns-oarc.net. isc.org dnskey +multiline Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/li

RE: 9.9.0rc1: example from arm 4.8.3 does not validate

> I tried the example from page 23 with a local zone, a trusted key and > inline-signing, ... > But I'm getting no ad-flag I think that is expected behavior when you query an authoritative server directly. For example, our authoritative server: dig @ns1.countryday.net countryday.net dnskey +dnss

bind9.9.0rc1 DNSSEC key rollover failure

A couple of weeks ago I found a DNSSEC key rollover problem with bind 9.9.0b2. See https://lists.isc.org/pipermail/bind-users/2011-December/086063.html. This appears to have persisted after upgrading to bind 9.9.0rc1 this afternoon. See http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the

RE: Take your DNSSEC with a grain of salt ...

> I've taken some time to write down my knowledge on NSEC3 use of the "salt" > and "iteration" parameters: > Thanks, Carsten. This is a very clear, concise, and informative article. Given the recommendation to change NSEC3 sa

DNSSEC key rollover problems

This issue relates to the server nstest.jaspain.net (74.203.156.157), which is running bind 9.9.0b2. Please refer to http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the jaspain.net , A, and TXT RRSets signed by ZSK 35297 expired on 12/17/2011, and those RRSets have not been resigned w

RE: dnssec-keygen not responding

> I'd be rather wary of keys made from /dev/urandom but I am often times a > paranoid security freak. Inexpensive USB-attachable RNG: http://www.entropykey.co.uk/ Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit htt

RE: Bind 9.9.0b2 inline signing...

> > > I don't understand why Windows doesn't include dig by default, even now. > > > Free software hate? > > And grep and logrotate! At least the GnuWin32 project has a good version > > of grep. > I think that if I had to use a Windows workstation my first installs would be > the ISC binary

RE: Configuration RPZ using BIND RPM package

> Is it possible in configure RPZ by download Bind.tar.gz file from isc > website. if yes, do i need to remove completely all running configuration > including /etc/named.rfc1912.zones and /etc/named.caching-nameserver.conf > files? Kindly suggest. Regards Babu Babu: While I am an Ubuntu user,

RE: Exercising RFC 5011 rollovers

> There are tools for this. E.g. libfaketime Looks like libfaketime (http://www.code-wizards.com/projects/libfaketime/) lets you accelerate the system time. Adapting one of their examples: LD_PRELOAD=./libfaketime.so.1 FAKETIME="x5000" /bin/bash -c 'while true; do echo $SECONDS ; sleep 43200 ;

  1   2   >