Hello all,
first let me thank you for your patience.
On Fri, Jul 11, 2014 at 10:47 AM, Mark Andrews wrote:
>
> In message
>
> , Wolfgang Rosenauer writes:
>> All but one request succeeded:
>> s15418965:~ # dig dnskey org +dnssec @199.19.56.1 +ignore +nore
On Fri, Jul 11, 2014 at 1:32 AM, Mark Andrews wrote:
>
> Then all of the following should succeed. Please let the
> list know how you go.
>
> dig soa . @198.41.0.4 +norec
> dig soa . @198.41.0.4 +dnssec +norec
> dig dnskey . @198.41.0.4 +dnssec +norec
>
ok, sorry for the confusion but I think what's more relevant is that
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"87.106.30.170 DNS reply size limit is at least 3843 bytes"
"87.106.30.170
btw, don't know what that means exactly.
In addition the output above to test the UDP sizes when I do that on
the correct/my bind:
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
there is no output at all. Is that also expected and the reason is the
UDP limitation?
Thanks,
Wolfgang
___
On Thu, Jul 10, 2014 at 4:54 PM, Mark Andrews wrote:
>
> Firstly upgrade. You are out of date.
I currently run a distribution provided version which is pretty new
compared with most published Linux distributions but if it helps I
would do that as well.
> Secondly fix your firewall. You need to
On Thu, Jul 10, 2014 at 4:16 PM, Tony Finch wrote:
>
> Suspicious. What do you get if you run
> dig +short rs.dns-oarc.net txt
s15418965:~ # dig +short rs.dns-oarc.net txt
rst.x479.rs.dns-oarc.net.
rst.x488.x479.rs.dns-oarc.net.
rst.x493.x488.x479.rs.dns-oarc.net.
"2001:8d8:870:1200::53 D
On Thu, Jul 10, 2014 at 4:00 PM, Tony Finch wrote:
> Wolfgang Rosenauer wrote:
>
>> Changed it now to dnssec-lookaside auto and it still behaves exactly
>> the same way.
>
> What happens if you delete the managed-keys files and restart?
first thing:
2014-07-10T16:04:5
On Thu, Jul 10, 2014 at 1:38 PM, Tony Finch wrote:
> Wolfgang Rosenauer wrote:
>>
>> dnssec-validation auto;
>> dnssec-lookaside . trust-anchor dlv.isc.org.;
>
> Why not use dnssec-lookaside auto; ?
No strong reason. I found many examples how to se
Hi,
I'm pretty much new to DNSSEC and try to deploy my first bind to
support it correctly.
My bind version is 9.9.4P2 and what I did is the following just to
allow DNSSEC verification (no zone management yet):
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside . t
9 matches
Mail list logo
