Hi everyone.
Thank you for all your help!
One key info that I missed, the DS record should be placed on the TLD host.
I tried (and failed) using the "normal" public available DNS for my domain.
Now back to the original problem, getting DANE set up.
All the best!
Danjel
On 23-03-2025 11:1
On 19-02-2025 12:04, Greg Choules wrote:
Hi Danjel.
To obtain a packet capture use tcpdump, which is probably installed
already. If not, add it using your preferred package manager.
You can dump to the screen, but I find it more useful to dump to a
file, which can then be analysed offline in W
On 16-03-2025 21:40, Greg Choules wrote:
Hi.
From what others have said, that makes sense. For BIND's static files
to be under /etc and operational files (zone data, journals etc.) to
be somewhere else.
What are the permissions on /var/lib/bind/ and/or /var/cache/bind?
Both is root:bind and
>I would either change ownership of "/etc/bind" and all files and folders
>below that from "root" to "bind", or, if the group for user "bind" is also
>"bind", leave ownership as root but change group permissions to rwx for
>everything "/etc/bind" and below. You could try starting with just
>"/et
It does, and it follows the FHS, so not in /etc.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 16. 3. 2025, at 17:08, Timothe Litt via bind-users
> wrote:
>
> In the
On 15-Mar-25 18:16, Lee wrote:
On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users
wrote:
Apparmor was also mentioned, I have no experience with that, and have not
changed it in any way (to my knowledge)...
On my machine,
$ journalctl -l | grep apparmor | grep bind |more
shows m
Sending from the correct alias this time!
On Sun, 16 Mar 2025 at 09:03, Greg Choules
wrote:
> Thank you.
> The problem is that named is running as user "bind" but that user
> doesn't have file system permissions to create and write to files (the .jnl
> and .jbk files at least) in places that it
On Sat, Mar 15, 2025 at 5:25 PM Danjel Jungersen via bind-users
wrote:
>
> Apparmor was also mentioned, I have no experience with that, and have not
> changed it in any way (to my knowledge)...
On my machine,
$ journalctl -l | grep apparmor | grep bind |more
shows many lines like
Dec 14 08:00
Off-list I was asked.
root@ns1:/etc/bind# ls -la
total 60
drwxr-sr-x 3 root bind 4096 Mar 15 16:31 .
drwxr-xr-x 71 root root 4096 Jan 6 08:40 ..
-rw-r--r-- 1 root root 2403 Jul 27 2024 bind.keys
-rw-r--r-- 1 root root 255 Jul 27 2024 db.0
-rw-r--r-- 1 root root 271 Jul 27 2024 db.12
On Sat, Mar 15, 2025 at 12:32 PM Danjel Jungersen via bind-users <
bind-users@lists.isc.org> wrote:
> I'm so sorry, but I have to trouble you guys again.
>
> The help below helped, I have no errors from checkconf or checkzone, but
> from journalctl I get:
> /etc/bind/zones/db.jungersen.dk.jbk: cre
Hi Danjel.
Please send "ls -al" of both "/etc/bind" and "/etc/bind/zones"
Thanks, Greg
On Sat, 15 Mar 2025 at 16:32, Danjel Jungersen via bind-users <
bind-users@lists.isc.org> wrote:
> I'm so sorry, but I have to trouble you guys again.
>
> The help below helped, I have no errors from checkconf
I'm so sorry, but I have to trouble you guys again.
The help below helped, I have no errors from checkconf or checkzone, but
from journalctl I get:
/etc/bind/zones/db.jungersen.dk.jbk: create: permission denied
and
/etc/bind/zones/db.jungersen.dk.signed.jnl: create: permission denied
and some
I shouldn’t have tried to write that on the phone from memory.
dnssec-policy “unlimited” {
keys { csk lifetime unlimited algorithm ECDSAP256SHA256; };
};
zone "jungersen.dk” {
type master;
file "/etc/bind/zones/db.jungersen.dk”;
allow-transfer { 192.168.20.11; };
On 20-02-2025 08:40, Mark Andrews wrote:
The zone is available publicly, but from public serveres not hosted by me
(one.com).
And points to my external ip.
My internal bind redirects local traffic directly to local servers on local
ip's.
DNSSEC is designed to stop spoofed answers being accepte
> On 20 Feb 2025, at 17:35, Danjel Jungersen wrote:
>
>
>
> On 19 February 2025 13:01:01 CET, Mark Andrews wrote:
> >You can install a negative trust anchor or sign the zone so that DNSSEC
> >validation works. The zone exists in the public DNS. You can use the same
> >key material or use d
On 19 February 2025 13:01:01 CET, Mark Andrews wrote:
>You can install a negative trust anchor or sign the zone so that DNSSEC
>validation works. The zone exists in the public DNS. You can use the same key
>material or use different key material and publish multiple DS records for
>both the p
You can install a negative trust anchor or sign the zone so that DNSSEC
validation works. The zone exists in the public DNS. You can use the same key
material or use different key material and publish multiple DS records for both
the private and public DNSKEYs.
The later will allow DNSSEC vali
Hi Danjel.
To obtain a packet capture use tcpdump, which is probably installed
already. If not, add it using your preferred package manager.
You can dump to the screen, but I find it more useful to dump to a file,
which can then be analysed offline in Wireshark.
A typical capture command might be:
On 19-02-2025 11:44, Mark Andrews wrote:
The posix boxes are validating the responses and your zone is not properly
delegated/signed so DNSSEC validation fails.
Is there a way to overcome this?
They are not delegated, since they are not public.
- Or am I missing something?
But explains why exte
The posix boxes are validating the responses and your zone is not properly
delegated/signed so DNSSEC validation fails.
What does the following return?
dig +cd +dnssec mail.jungersen.dk
The answer on the internet is signed.
--
Mark Andrews
> On 19 Feb 2025, at 21:21, Danjel Jungersen via
On 19-02-2025 11:11, Marco Moock wrote:
Am Wed, 19 Feb 2025 10:58:14 +0100
schrieb Danjel Jungersen via bind-users :
But if I change /etc/resolv.conf to 127.0.0.1 something happens
If I do a dig or ping from my postfixbox to something that the 2 main
bind-boxes are authoratative for, it doesn't
Am Wed, 19 Feb 2025 10:58:14 +0100
schrieb Danjel Jungersen via bind-users :
> But if I change /etc/resolv.conf to 127.0.0.1 something happens
> If I do a dig or ping from my postfixbox to something that the 2 main
> bind-boxes are authoratative for, it doesn't work.
Please sniff the DNS traffic
Hi.
I have a primary and a secondary set up on debian 12.
They both seem to work.
They are authoratative for my own domain that is used to redirect local
traffic to local servers.
There are no (inbound) contact from the outside to bind.
I then have a postfix server, where I need to run a loca
23 matches
Mail list logo
