On 25/01/11 11:20 PM, "Mark Andrews" wrote:
>
> In message , Kalman Feher
> write
> s:
>>
>>
>>
>> On 25/01/11 4:10 PM, "Alan Clegg" wrote:
>>
>>> On 1/25/2011 9:51 AM, Kalman Feher wrote:
>>>
If the nsec3param has been removed, the automated signing will be weird if
you are u
In message , Kalman Feher write
s:
>
>
>
> On 25/01/11 4:10 PM, "Alan Clegg" wrote:
>
> > On 1/25/2011 9:51 AM, Kalman Feher wrote:
> >
> >> If the nsec3param has been removed, the automated signing will be weird if
> >> you are using nsec3 keys. I havent tested this scenario, since it isnt
On 25/01/11 4:10 PM, "Alan Clegg" wrote:
> On 1/25/2011 9:51 AM, Kalman Feher wrote:
>
>> If the nsec3param has been removed, the automated signing will be weird if
>> you are using nsec3 keys. I havent tested this scenario, since it isnt
>> really a working scenario.
>
> There is no such th
On 1/25/2011 9:51 AM, Kalman Feher wrote:
> If the nsec3param has been removed, the automated signing will be weird if
> you are using nsec3 keys. I havent tested this scenario, since it isnt
> really a working scenario.
There is no such thing as an "nsec3 key".
If you auto-sign a zone that does
On 25/01/11 2:34 PM, "Zbigniew Jasiński" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 2011-01-24 17:47, Kalman Feher pisze:
>> This appears to be the problem.
>> I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could
>> not replicate it. Try turning u
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-24 17:47, Kalman Feher pisze:
> This appears to be the problem.
> I copied your NSEC3PARAM (opt out clear, 12 iterations) details but could
> not replicate it. Try turning up the logging to get more information about
> why the nsec3param
On 24/01/11 4:08 PM, "Zbigniew Jasiński" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 2011-01-24 14:34, Kalman Feher pisze:
>> I assume you did add the nsec3param record via nsupdate after adding the
>> zone? I note that there is an NSEC entry there, which is not right.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-24 14:34, Kalman Feher pisze:
> I assume you did add the nsec3param record via nsupdate after adding the
> zone? I note that there is an NSEC entry there, which is not right.
>
Yes, with nsupdate. and lack of NSEC3PARAM was very odd.
On 24/01/11 10:53 AM, "Zbigniew Jasiński" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 2011-01-21 15:17, Kalman Feher pisze:
>>> Perhaps we are getting close to the problem then.
>>> Can you show the content of the key files? Specifically the metadata which
>>> the "mai
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-21 15:17, Kalman Feher pisze:
>> Perhaps we are getting close to the problem then.
>> Can you show the content of the key files? Specifically the metadata which
>> the "maintain" option wants.
>
>> Since "allow" works I'm assuming that
On 21/01/11 2:05 PM, "Zbigniew Jasiński" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 2011-01-21 11:23, Kalman Feher pisze:
>> The only way I can replicate the behaviour is with dnssec-enable no or with
>> an unsigned version of the zone in another view. Assuming you've
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-21 11:23, Kalman Feher pisze:
> The only way I can replicate the behaviour is with dnssec-enable no or with
> an unsigned version of the zone in another view. Assuming you've not
> overlapped your views in such a way (it was a very contr
The only way I can replicate the behaviour is with dnssec-enable no or with
an unsigned version of the zone in another view. Assuming you've not
overlapped your views in such a way (it was a very contrived test), I think
you'll need to provide a bit more information on your configuration.
-options
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-19 18:38, Hauke Lampe pisze:
> Another thing you might check:
>
> With "dnssec-enable no;" in named.conf, BIND still does its automatic
> DNSSEC signing but won't add RRSIG to responses.
>
> I ran across such a configuration lately. Y
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.01.2011 15:59, Zbigniew Jasiński wrote:
> like i wrote in my previous email I've checked the journal file and
> there are updates with RRSIG records but still named is returning
> answers without signatures
Another thing you might check:
With
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-19 14:24, Kalman Feher pisze:
> Try without +short ;)
> I also have the habit of using that and can get caught out. Remember that
> +short only includes the answer, which is not the RRSIG you are hoping to
> see.
>
RRSIG is _the_ answe
Try without +short ;)
I also have the habit of using that and can get caught out. Remember that
+short only includes the answer, which is not the RRSIG you are hoping to
see.
On 19/01/11 12:49 PM, "Zbigniew Jasiński" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> W dniu 2011-01
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
W dniu 2011-01-17 15:39, Kalman Feher pisze:
> Have you tried more sane times?
>
> Those don't look like sensible times even for a test, which is probably why
> BIND isn't signing. I think you are below the sensitivity level for BIND to
> sign automat
Have you tried more sane times?
Those don't look like sensible times even for a test, which is probably why
BIND isn't signing. I think you are below the sensitivity level for BIND to
sign automatically.
If you want to test, try using hours or days as values. When initially
testing I used lifetim
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
I have my test zone example configured with option auto-dnssec maintain;
zone "example" {
type master;
file "var/zone/example";
allow-update { loopback; };
allow-transfer { trusted; loopback; };
auto-d
20 matches
Mail list logo
