esday, September 24, 2019 2:01 PM
To: John W. Blue
Cc: bind-us...@isc.org
Subject: RE: DNSSEC basic information
John W. Blue wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I
> understand it, that was not the intent.
I'm a relative newcomer having only done DNSSEC for
John W. Blue wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I
> understand it, that was not the intent.
I'm a relative newcomer having only done DNSSEC for about 10 years (so
I wasn't around until most of the design arguments were settled), but I
don't remember seeing any
12:46 PM
To: bind-us...@isc.org
Subject: Re: DNSSEC basic information
Evan Hunt answers Jukka Pakkanen:
> In newer releases there's also a configuration option,
> "validate-except", which permanently disables validation below
> specified domains. This can be used, for
Evan Hunt answers Jukka Pakkanen:
> In newer releases there's also a configuration option, "validate-except",
> which permanently disables validation below specified domains. This can
> be used, for example, if you have an internal network using a fake TLD
> and you want to prevent it from showi
Evan Hunt wrote:
>
> There's a way now for a signed domain to send an in-band signal to its
> parent that the DS RRset needs updating. A new tool "dnssec-cds" is
> available to help with this. AFAIK this mechanism hasn't been adopted by
> any TLDs yet, but may be of interest anyway.
.ch https://w
Mark Elkins wrote:
>
> 2) When a Zone is signed, you will be given some DS Records - which need to be
> passed on for inclusion into the Parent Zone. Currently, BIND creates two DS
> keys.
> You'll find them inside "dsset-Zone.being.signed".
... if you are using dnssec-signzone, but I would not r
On 2019/09/23 23:00, John W. Blue wrote:
Jukka,
Some odds n ends in no particular order:
1. DNSSEC was designed for external zones
1) I'd also suggest using Algorithm 13 - Elliptical Curve - for any new
key creations
dnssec-keygen -a ECDSAP256SHA256 ( -f KSK) Zone.being.signed
This
On Tue, Sep 24, 2019 at 03:15:42AM +, Evan Hunt wrote:
> Six years is a long time, I've probably forgotten a few.
Oh here's one: "dig +sigchase" is dead now, use "delv" to check DNSSEC
validation chains.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
On Mon, Sep 23, 2019 at 08:16:43PM +, Jukka Pakkanen wrote:
> I am finally diging in to DNSSEC, updating out BIND 9.14.5 servers to
> support it, both resolving & signing, secure zone transfers etc.
>
> I just have read the DNSSEC Mastery by Michael W. Lucas from year 2013,
> and my question b
NSEC3.
Hope that helps!
John
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka
Pakkanen
Sent: Monday, September 23, 2019 3:32 PM
To: Jukka Pakkanen; bind-us...@isc.org
Subject: VS: DNSSEC basic information
Already found out about
https://ftp.isc.org/isc/dnssec-guide
Vastaanottaja: bind-us...@isc.org
Aihe: DNSSEC basic information
I am finally diging in to DNSSEC, updating out BIND 9.14.5 servers to support
it, both resolving & signing, secure zone transfers etc.
I just have read the DNSSEC Mastery by Michael W. Lucas from year 2013, and my
question basicall
I am finally diging in to DNSSEC, updating out BIND 9.14.5 servers to support
it, both resolving & signing, secure zone transfers etc.
I just have read the DNSSEC Mastery by Michael W. Lucas from year 2013, and my
question basically is, is this information from 6 years back still valid, or
hope
12 matches
Mail list logo
