How to migrate dnssec algorithm smoothly from auto-dnssec to dnssec-policy?

2021-01-15 Thread von Dein, Thomas
Howdy, I have a domain which is being signed automatically using auto-dnssec on an older bind9, it uses RSASHA1 keys. Now the registry requires us to move to a more secure algorithm. Therefore I updated bind to bind9.16.6. Now I could switch to dnssec-policy, however if I change the algorithm,

AW: Unable to completely transfer root zone

2020-03-05 Thread von Dein, Thomas
Hello, I finally changed the config to type hint. However, now I still have the problem of keeping it up to date, right? Would a monthly cronjob suffice? Tom -Ursprüngliche Nachricht- Von: bind-users Im Auftrag von Tony Finch Gesendet: Freitag, 14. Februar 2020 13:47 An: bind-users@li

How to throttle misconfigured clients?

2020-03-03 Thread von Dein, Thomas
Hello, we're seeing a lot of malformed dns queries to our recursive nameservers like these: 06:38:32.733678 IP client.59003 > nameserver2.53: 21974+ ? notification. (30) 06:38:32.734079 IP nameserver2.53 > client.59003: 21974 NXDomain 0/1/0 (105) 06:38:33.216732 IP client.59003 > nameserver

AW: Unable to completely transfer root zone

2020-02-14 Thread von Dein, Thomas
does this mean? The setup is like this: Proxy dmz with local forwarding bind => internet bind => internet The error above occurred on the forwarding bind in the proxy dmz. best regards, Tom -----Ursprüngliche Nachricht- Von: von Dein, Thomas Gesendet: Dienstag, 11. Februar 2020 14:45 An

AW: Unable to completely transfer root zone

2020-02-11 Thread von Dein, Thomas
Hi, > So maybe try setting `request-ixfr no;` and see if that improves matters. Nope, didn't change anything. Also, I was wrong when I stated that dig works, it does not. It transfers only a part of the zone as well. However, in the meantime we found, that some component drops packets. I imple

AW: Unable to completely transfer root zone

2020-02-10 Thread von Dein, Thomas
Hi Warren, > This sounds very much like a path MTU issue -- it starts the transfer, > gets part of the way and then a big packet doesn't make it through... > Are you doing the test dig from the same machine? And if so, from the same IP? Yes, I test from the same system using the same source addre

Unable to completely transfer root zone

2020-02-10 Thread von Dein, Thomas
Hi everyone, we are unable to complete root zone transfer from our nameservers. This is the error we're getting: Feb 10 18:33:32 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: connected using 192.168.1.1#11281 Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.