On Wed, Apr 05, 2023 at 11:04:10AM +0200, Klaus Malorny
wrote:
> On 04.04.23 15:11, Josh Kuo wrote:
> > Hi all,
> >
> > [...]
> >
> > The only one I know of is the very dated US OMB memo from 2008. I see
> > several European domains have better DNSSEC deployment rates (such as
> > .de). Are th
On Thu, Dec 22, 2022 at 07:16:55AM +, Michael De Roover
wrote:
> So PTR records don't seem to be very useful in getting this information
> either. As such, I am still stranded.
Unless you scan for all (IPv4) PTR records into a
database ready for searches.
Here's a link to a page that lists
On Fri, Sep 03, 2021 at 08:58:49PM +1000, Mark Andrews wrote:
> yes
Thanks.
> > On 3 Sep 2021, at 20:41, raf via bind-users
> > wrote:
> >
> > Hi,
> >
> > Sorry, but I'm having trouble finding zonefile syntax
> > documentation.
> >
Hi,
Sorry, but I'm having trouble finding zonefile syntax
documentation.
Is the following correct syntax for an SMIMEA record?
ef809616390533e15df60e10478b6e5c7040a2152f762f173ef6c014._smimecert.raf.org IN
SMIMEA (
3 0 0
308204c8308202b0020101300d06092a864886f70d01010b05003012
[...skip ma
On Thu, Sep 02, 2021 at 11:15:32AM +1000, Mark Andrews wrote:
> The primary reason that it is per algorithm is that validators and
> signers are not required to support the same sets of algorithms and
> if you want validation to work for everyone the zone has to be fully
> signed for each algorit
On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch wrote:
> raf via bind-users wrote:
> > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
> > wrote:
> >
> > > What algorithm(s) are you using for ZSK and KSK? If they’re not the
> > > same algori
On Tue, Aug 31, 2021 at 02:13:35PM +1000, Mark Andrews wrote:
> The rules for what get signed by what are per algorithm. Additionally the
> SEP bit is hint to the signer as to what is desired. Named has controls to
> say whether to pay attention to the SEP bit or not. Additionally it will
> ov
On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton
wrote:
> What algorithm(s) are you using for ZSK and KSK? If they’re not the
> same algorithm, then both will be used to sign the entire zone.
>
> Regards,
> Chris Buxton
Just out of curiosity, why is that?
Isn't having the KSK sign the ZS
On Fri, Aug 20, 2021 at 09:46:46PM +1000, raf via bind-users
wrote:
> On Fri, Aug 20, 2021 at 09:33:01PM +1000, raf via bind-users
> wrote:
>
> > Hi,
> >
> > I want to use TSIG for zone transfers,
> > only allowing zone transfers to
> > particular IP
On Fri, Aug 20, 2021 at 09:33:01PM +1000, raf via bind-users
wrote:
> Hi,
>
> I want to use TSIG for zone transfers,
> only allowing zone transfers to
> particular IP addresses if they
> possess the TSIG shared secret.
>
> The documentation at:
>
> https://
Hi,
I want to use TSIG for zone transfers,
only allowing zone transfers to
particular IP addresses if they
possess the TSIG shared secret.
The documentation at:
https://bind9.readthedocs.io/en/latest/advanced.html
has this section:
5.5.4. TSIG-Based Access Control
which gives this relevan
On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking
wrote:
> Hi,
>
> On 16-08-2021 04:28, raf via bind-users wrote:
> > On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
> ...
> >
> > So it's looking good and I'm happy now. But how long
On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
> But the real problem is that bind crashed, and dumped
> core, and couldn't start at all. There were a hectic
> few minutes there. :-) I deleted the coredump and the
> key files, and the .jnl files, restored backup
> zonefiles, updated the ser
Hi,
I've just upgraded my bind9 server to debian-11 which
has bind-9.16.15. I've been looking forward to this. I
had my local dnssec-policy ("annual") all ready to go.
But it didn't go well at all.
For the first few seconds, I thought it was great. I
uncommented my new config to enable DNSSEC sig
On Wed, Aug 11, 2021 at 12:14:38PM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 11:27 PM, raf via bind-users wrote:
> > Does that help at all?
>
> Very much thank you. I have now discovered my DNS key and corresponding DS
> record. I believe the DS record is what
On Wed, Aug 11, 2021 at 09:40:00AM +0200, Matthijs Mekking
wrote:
> > Syntax question:
> > In https://bind9.readthedocs.io/en/latest/dnssec-guide.html
> > the double quotes are never used in the zone stanza
> > where the dnssec-policy is referred to. The double
> > quotes sometimes (but not alwa
On Tue, Aug 10, 2021 at 09:19:33PM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 7:32 PM, raf via bind-users wrote:
> > To get the DS record information to convey to the
> > registrar, after starting to use the default policy.
> > look for the CDS record (the ch
On Tue, Aug 10, 2021 at 11:24:31AM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 10:07 AM, Matthijs Mekking wrote:
> >> So just to be sure I'm doing the right thing, I've added this to my
> >> options stanza:
> >>
> >> dnssec-policy "default";
> >>
> >> Then restarted named and now
On Tue, Aug 10, 2021 at 08:51:04AM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 7:51 AM, Matthijs Mekking wrote:
> > Hi Klaus,
> >
> > On 10-08-2021 13:38, Klaus Darilion wrote:
> >> Hi Matthijs!
> >>
> >>> We would like to encourage you to change your configurations to
> >>> 'dnssec-
Hi Matthijs,
On Mon, Aug 09, 2021 at 11:11:48AM +0200, Matthijs Mekking
wrote:
> Hi raf,
>
> On 09-08-2021 10:08, raf via bind-users wrote:
> > Hi,
> >
> > I've got a bunch of DNSSEC questions.
> > Any advice would be appreciated.
> >
> >
Hi,
I've got a bunch of DNSSEC questions.
Any advice would be appreciated.
The context is a little VM with six little zones,
soon to be upgraded to debian-11 and bind-9.16.15.
I haven't signed my zones before but now is the time.
I'm going to rotate KSKs annually because it's
finally so easy to o
Hi,
I've just read:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html
(excellent, by the way)
And I've noticed (only!) one typo.
In the "Migrating from NSEC to NSEC3" section, it says:
dnssec-policy "standard" {
nsec3param iterations optout no salt-length 16;
};
Th
Hi again,
Never mind. It wasn't the difference between versions.
It was that the 9.10.3 server was forwarding all queries
to my ISP's DNS servers which are not functioning well.
They can't even resolve ietf.org at the moment.
When forwarding to 8.8.8.8 instead, it behaves the same
as the 9.11.5 se
Hi,
Firstly, I'd like to thank everyone involved with making bind.
I'm used to using old versions (9.10.3 on an old ubuntu host)
and (9.11.5 on debian-10 stable). And just as I'm about to start
using DNSSEC for my domains, debian-11 stable is about to come
out in a few days with bind-9.16.15 which
24 matches
Mail list logo
