> On 2 May 2022, at 12:28, J Doe wrote:
>
> On 2022-04-29 01:18, Mark Andrews wrote:
>
>> break-dnssec is about if the client could detect the re-write or not using
>> DNSSEC. If the client has DO=1 in the request and the normal response is
>> signed then rewrites can be detected. If break-
On 2022-04-29 01:18, Mark Andrews wrote:
break-dnssec is about if the client could detect the re-write or not using
DNSSEC. If the client has DO=1 in the request and the normal response is
signed then rewrites can be detected. If break-dnssec is ’no’ the rewrite will
be prevented. If break-
break-dnssec is about if the client could detect the re-write or not using
DNSSEC. If the client has DO=1 in the request and the normal response is
signed then rewrites can be detected. If break-dnssec is ’no’ the rewrite will
be prevented. If break-dnssec is ‘yes’ then the rewrite will occur.
Hi,
I am configuring an RPZ for a validating resolver. I read in the BIND
9.18.2 ARM that there is a boolean option for RPZ zones called:
break-dnssec.
The ARM states:
...In that case, RPZ actions are applied regardless of DNSSEC.
The name of the clause option reflects the fact that
Thank you, I'll report back the result
On Wed, Aug 18, 2021 at 10:49 AM Mark Andrews wrote:
>
> > On 18 Aug 2021, at 10:23, Edwardo Garcia wrote:
> >
> > Hola Mark,
> >
> > Thank you, so to be clear, what is mean to delegate zone, the black
> zone? I am not dns expert unfortunately
>
> Yes, c
> On 18 Aug 2021, at 10:23, Edwardo Garcia wrote:
>
> Hola Mark,
>
> Thank you, so to be clear, what is mean to delegate zone, the black zone? I
> am not dns expert unfortunately
Yes, create a seperate zone for black.example.net.
In example.net you add NS records for black.example.net. They
Hola Mark,
Thank you, so to be clear, what is mean to delegate zone, the black zone? I
am not dns expert unfortunately
On Wed, Aug 18, 2021 at 6:23 AM Mark Andrews wrote:
> Delegate the zone. Do NOT add a DS for it.
>
> --
> Mark Andrews
>
> On 17 Aug 2021, at 23:47, Edwardo Garcia wrote:
>
>
Delegate the zone. Do NOT add a DS for it.
--
Mark Andrews
> On 17 Aug 2021, at 23:47, Edwardo Garcia wrote:
>
>
> Hola
>
> We have dnssec working for long time but need now to have a subdomain
> excluded, we are going to be use it to replace an internal blacklist, we have
> 14 smtp serve
Hola
We have dnssec working for long time but need now to have a subdomain
excluded, we are going to be use it to replace an internal blacklist, we
have 14 smtp servers and it is cumbersome to keep in sync.
So we have example.net signed,
but we want black.example.net, and of course all addresses
I should have pointed out that BOTH servers have recursion turned on.
Yeah, I know about having DNSSEC-enable=yes to not break downstream
validation. (I inherited this setup...)
BOTH are internal DNS servers with access to the internet to query the
internet roots (no default forwarding active).
Bob McDonald wrote:
>
> Server A
> DNSSEC=yes
> DNSSEC-validation=yes
> Valid trust anchor for the root zone
> DNSSEC validation seems to work correctly
> Zone one.com. is setup as a forward zone to server B
>
> Server B
> DNSSEC=no
> DNSSEC-validation=N/A
> authoritative and the master for one.co
Consider the follwing example:
Server A
DNSSEC=yes
DNSSEC-validation=yes
Valid trust anchor for the root zone
DNSSEC validation seems to work correctly
Zone one.com. is setup as a forward zone to server B
Server B
DNSSEC=no
DNSSEC-validation=N/A
authoritative and the master for one.com.
When ser
> From: michoski
> To: Steve Arntzen , bind-users@lists.isc.org
> Subject: Re: dnssec question. confused.
>
> On 9/28/11 5:32 AM, "Steve Arntzen" wrote:
>> Is your firewall Cisco based?
>>
>> There is a known "default" setting in Cisco with res
> On 9/28/11 5:32 AM, "Steve Arntzen" wrote:
> > Is your firewall Cisco based?
Yes. The firewall is Cisco based.
However, the main problem there is, there are several firewalls before
leaving our network and my dept doesn't manage all of them.
> > There is a known "default" setting in Cisco wi
On 9/28/11 5:32 AM, "Steve Arntzen" wrote:
> Is your firewall Cisco based?
>
> There is a known "default" setting in Cisco with respect to packet size
> for DNS. Our network guys run into this anytime they do an upgrade,
> etc. and have to go in and update the setting.
This bit me the first tim
Is your firewall Cisco based?
There is a known "default" setting in Cisco with respect to packet size
for DNS. Our network guys run into this anytime they do an upgrade,
etc. and have to go in and update the setting.
Steve.
On Tue, 2011-09-27 at 15:45 -0500, Brad Bendily wrote:
> When trying
11 10:45 PM
To: bind-users@lists.isc.org
Subject: dnssec question. confused.
When trying the DNSSEC check command from:
https://www.dns-oarc.net/oarc/services/replysizetest
behind our corporate firewall, I get:
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.
In message <798e3caf2fcc264481d8f75fb3d0bfd91b538...@mailmbx10.mail.la.gov>, Br
ad Bendily writes:
>
> When trying the DNSSEC check command from:
> https://www.dns-oarc.net/oarc/services/replysizetest
>
> behind our corporate firewall, I get:
> rst.x476.rs.dns-oarc.net.
> rst.x485.x476.rs.dns-oa
On 09/27/2011 13:45, Brad Bendily wrote:
> dig +dnssec eeoc.gov
Try that again with +notcp.
FYI, on a "clean" network the response I get to that query is 3,918 bytes.
hth,
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadt
When trying the DNSSEC check command from:
https://www.dns-oarc.net/oarc/services/replysizetest
behind our corporate firewall, I get:
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"Tested at 2011-09-27 20:32:34 UTC"
"205.172.49.177 sent EDNS buffer s
20 matches
Mail list logo
