les for governmental domain
> names, but not for the general public/commercial domains. Other European
> ccTLD registry have/had promotions for DNSSEC, so this might be the reason
> for higher deployment rates.
>
> Greetings,
> Klaus
I think at least one Scandinavian country
/find-subdomains/
> Thanks again for your attention,
> Michael
cheers,
raf
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for mo
On Fri, Dec 31, 2021 at 10:45:12AM +1100, raf wrote:
> On Thu, Dec 30, 2021 at 09:07:54AM +0100, Danilo Godec via bind-users
> wrote:
>
> > On 29. 12. 21 19:24, tale wrote:
> > > On Wed, Dec 29, 2021 at 5:31 AM Danilo Godec via bind-users
> > > wrote:
&g
ut the main thing is that the Linux kernel has been patched,
so it shouldn't be a problem after your next security update.
Until then, you could block outgoing ICMP if doing so doesn't
cause more problems than it solves.
cheers,
raf
___
Please
sop-nsec3-guidance-00
the recommendation is:
nsec3param iterations 0 optout no salt-length 0;
cheers,
raf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with
> shoudn't take more than 5 minutes with packages
>
> 9.16.10 to 9.16.21 is a bugfix update, case closed
Packaging is not always that simple. For example, on
Debian stable, the current version is 9.16.15. However,
the Debian team will ba
On Fri, Sep 03, 2021 at 08:58:49PM +1000, Mark Andrews wrote:
> yes
Thanks.
> > On 3 Sep 2021, at 20:41, raf via bind-users
> > wrote:
> >
> > Hi,
> >
> > Sorry, but I'm having trouble finding zonefile syntax
> > documentation.
> >
.skip many hex lines...]
be412474f2c5f04d193124990ef9b15490883604e4aa9adb
)
Thanks.
cheers,
raf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid su
you support. If a validator wants to protect itself from downgrade
> attacks it needs to limit itself to only checking RRSIGs for algorithms
> listed in the DS RRset and ensure that all algorithms listed there are
> present in the response and th
On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch wrote:
> raf via bind-users wrote:
> > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
> > wrote:
> >
> > > What algorithm(s) are you using for ZSK and KSK? If they’re not the
> > > same algori
pdate-check-ksk and the keys sub-clause of
> dnssec-policy.
Thanks.
cheers,
raf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscrip
ing the KSK sign the ZSK enough?
What difference does the nature of the thing
being signed make?
cheers,
raf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this softwa
On Fri, Aug 20, 2021 at 09:46:46PM +1000, raf via bind-users
wrote:
> On Fri, Aug 20, 2021 at 09:33:01PM +1000, raf via bind-users
> wrote:
>
> > Hi,
> >
> > I want to use TSIG for zone transfers,
> > only allowing zone transfers to
> > particular IP
On Fri, Aug 20, 2021 at 09:33:01PM +1000, raf via bind-users
wrote:
> Hi,
>
> I want to use TSIG for zone transfers,
> only allowing zone transfers to
> particular IP addresses if they
> possess the TSIG shared secret.
>
> The documentation at:
>
> https://
containing the address(es)
of the secondary)?
And if so, do I really want to? I'd like to, but
that syntax is a bit gross. Maybe I'm being silly.
Maybe I should just rely on the possession of the key.
Thoughts?
cheers,
raf
___
Please visit http
On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking
wrote:
> Hi,
>
> On 16-08-2021 04:28, raf via bind-users wrote:
> > On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
> ...
> >
> > So it's looking good and I'm happy now. But how long
On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
> But the real problem is that bind crashed, and dumped
> core, and couldn't start at all. There were a hectic
> few minutes there. :-) I deleted the coredump and the
> key files, and the .jnl files, restored backup
> zo
or me to modify my unsigned
sources, install them over the top of bind's signed
versions, and will bind happily recreate all of the
DNSSEC records each time? Is that what's expected? That
bind and I keep overwriting each other's zone files?
Thanks for your time, and apologies for
On Wed, Aug 11, 2021 at 12:14:38PM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 11:27 PM, raf via bind-users wrote:
> > Does that help at all?
>
> Very much thank you. I have now discovered my DNS key and corresponding DS
> record. I believe the DS record is what
On Wed, Aug 11, 2021 at 09:40:00AM +0200, Matthijs Mekking
wrote:
> > Syntax question:
> > In https://bind9.readthedocs.io/en/latest/dnssec-guide.html
> > the double quotes are never used in the zone stanza
> > where the dnssec-policy is referred to. The double
> > quotes sometimes (but not alwa
On Tue, Aug 10, 2021 at 09:19:33PM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 7:32 PM, raf via bind-users wrote:
> > To get the DS record information to convey to the
> > registrar, after starting to use the default policy.
> > look for the CDS record (the ch
27;s short version:
1. Monitor, look for new KSKs
2. Upload the DS once the CDS/CDNSKEY for the KSK is published.
3. Request the old DS to be removed.
3. Wait for the new DS to appear (the old DS should be replaced).
4. Run "rndc dnssec -checkds -key ID published ZONE"
5. Run &qu
the double quotes are never used in the zone stanza
where the dnssec-policy is referred to. The double
quotes sometimes (but not always) appear in the
dnssec-policy definition stanza.
Are the double quotes optional in both cases?
> --
>
> Tim Daneliuk tun...@
Hi Matthijs,
On Mon, Aug 09, 2021 at 11:11:48AM +0200, Matthijs Mekking
wrote:
> Hi raf,
>
> On 09-08-2021 10:08, raf via bind-users wrote:
> > Hi,
> >
> > I've got a bunch of DNSSEC questions.
> > Any advice would be appreciated.
> >
> >
-key ID published ZONE" to inform bind
- Wait for bind to sign the ZSKs with the new KSKs
- Wait a few TTLs
- Manually delete the DS RRs for the old KSKs via the registrar's website
- Wait for the old DS RRs to disappear from the DNS
- Run "rndc dnssec -checkds -key ID withdr
tions optout no salt-length 16;
};
There should be an integer after "iterations".
Based on the following text, the number of iterations should be 10.
Should I submit a merge request, or can someone just fix it?
cheers,
raf
___
Please visit htt
e
as the 9.11.5 server that's doing its own resolving.
Apologies for the noise.
cheers,
raf
On Fri, Aug 06, 2021 at 11:56:06AM +1000, raf wrote:
> Hi,
>
> Firstly, I'd like to thank everyone involved with making bind.
> I'm used to using old versions (9.10.3 on an o
ation auto",
9.10.3 won't resolve tools.ietf.org or datatracker.ietf.org,
but 9.11.5 will resolve them. 9.10.3 will only resolve them
without "dnssec-validation auto". Below is some dig output.
Any thoughts?
cheers,
raf
Bind-9.10.3 (old ubuntu) without dnssec-valid
28 matches
Mail list logo
