FYI: We are going forward with deprecating 'auto-dnssec' in 9.18+.
We might deprecate 'inline-signing' too in 9.18, but only if we have
implemented the replacement code to configure it inside 'dnssec-policy'
in time.
After last year's discussion on this mailing list I initially wanted to
mak
* Tim Daneliuk via bind-users:
> I believe the DS record is what I have to provide my registrar as I
> understand it.
That depends on the top level domain. For example, .de uses DS records,
while .com uses DNSKEY reords. Best to ask your registrar.
-Ralph
On Wed, Aug 11, 2021 at 12:14:38PM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 11:27 PM, raf via bind-users wrote:
> > Does that help at all?
>
> Very much thank you. I have now discovered my DNS key and corresponding DS
> record. I believe the DS record is what I have to provide
On 8/10/21 11:27 PM, raf via bind-users wrote:
> Does that help at all?
Very much thank you. I have now discovered my DNS key and corresponding DS
record. I believe the DS record is what I have to provide my registrar
as I understand it.
--
---
On Wed, Aug 11, 2021 at 09:40:00AM +0200, Matthijs Mekking
wrote:
> > Syntax question:
> > In https://bind9.readthedocs.io/en/latest/dnssec-guide.html
> > the double quotes are never used in the zone stanza
> > where the dnssec-policy is referred to. The double
> > quotes sometimes (but not alwa
Syntax question:
In https://bind9.readthedocs.io/en/latest/dnssec-guide.html
the double quotes are never used in the zone stanza
where the dnssec-policy is referred to. The double
quotes sometimes (but not always) appear in the
dnssec-policy definition stanza.
Are the double quotes optional in bo
Hi Tim,
On 11-08-2021 04:19, Tim Daneliuk via bind-users wrote:
On 8/10/21 7:32 PM, raf via bind-users wrote:
To get the DS record information to convey to the
registrar, after starting to use the default policy.
look for the CDS record (the child version of the DS
record) with dig:
dig CDS
On Tue, Aug 10, 2021 at 09:19:33PM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 7:32 PM, raf via bind-users wrote:
> > To get the DS record information to convey to the
> > registrar, after starting to use the default policy.
> > look for the CDS record (the child version of the DS
> >
On 8/10/21 7:32 PM, raf via bind-users wrote:
> To get the DS record information to convey to the
> registrar, after starting to use the default policy.
> look for the CDS record (the child version of the DS
> record) with dig:
>
> dig CDS EXAMPLE.ORG
>
> For the default policy, you'll only hav
On Tue, Aug 10, 2021 at 11:24:31AM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 10:07 AM, Matthijs Mekking wrote:
> >> So just to be sure I'm doing the right thing, I've added this to my
> >> options stanza:
> >>
> >> dnssec-policy "default";
> >>
> >> Then restarted named and now
On Tue, Aug 10, 2021 at 08:51:04AM -0500, Tim Daneliuk via bind-users
wrote:
> On 8/10/21 7:51 AM, Matthijs Mekking wrote:
> > Hi Klaus,
> >
> > On 10-08-2021 13:38, Klaus Darilion wrote:
> >> Hi Matthijs!
> >>
> >>> We would like to encourage you to change your configurations to
> >>> 'dnssec-
Klaus Darilion via bind-users wrote:
>
> By reading this KB I do not know how the user will be informed which DS
> (or DNSKEY) must be submitted to the parent zone. I know you to convert
> a DNSKEY to DS, but IMO the KB is very good but missest hat point.
I would expect the zone's apex CDS and CD
On 8/10/21 10:07 AM, Matthijs Mekking wrote:
>> So just to be sure I'm doing the right thing, I've added this to my
>> options stanza:
>>
>> dnssec-policy "default";
>>
>> Then restarted named and now all the signing magic is taken care of for
>> me for all zones? (I was not previously using
On 10-08-2021 15:51, Tim Daneliuk via bind-users wrote:
On 8/10/21 7:51 AM, Matthijs Mekking wrote:
Hi Klaus,
On 10-08-2021 13:38, Klaus Darilion wrote:
Hi Matthijs!
We would like to encourage you to change your configurations to
'dnssec-policy'. See this KB article for migration help:
h
On 8/10/21 7:51 AM, Matthijs Mekking wrote:
> Hi Klaus,
>
> On 10-08-2021 13:38, Klaus Darilion wrote:
>> Hi Matthijs!
>>
>>> We would like to encourage you to change your configurations to
>>> 'dnssec-policy'. See this KB article for migration help:
>>>
>>> https://kb.isc.org/docs/dnssec-key-and
Thanks, I got some more suggestions to improve the KB article, I'll
include yours to that list.
On 10-08-2021 15:28, Klaus Darilion wrote:
On 10-08-2021 13:38, Klaus Darilion wrote:
Hi Matthijs!
We would like to encourage you to change your configurations to
'dnssec-policy'. See this KB arti
> On 10-08-2021 13:38, Klaus Darilion wrote:
> > Hi Matthijs!
> >
> >> We would like to encourage you to change your configurations to
> >> 'dnssec-policy'. See this KB article for migration help:
> >>
> >> https://kb.isc.org/docs/dnssec-key-and-signing-policy
> >
> > Some comments to this KB artic
Hi Klaus,
On 10-08-2021 13:38, Klaus Darilion wrote:
Hi Matthijs!
We would like to encourage you to change your configurations to
'dnssec-policy'. See this KB article for migration help:
https://kb.isc.org/docs/dnssec-key-and-signing-policy
Some comments to this KB article and dnssec-polic
Hi Matthijs!
> We would like to encourage you to change your configurations to
> 'dnssec-policy'. See this KB article for migration help:
>
> https://kb.isc.org/docs/dnssec-key-and-signing-policy
Some comments to this KB article and dnssec-policy:
- The article should mention how to retrie
Le 10/08/2021 à 12:34, Matthijs Mekking a écrit :
> Hi Emannuel,
>
> Thanks for your response.
>
> On 10-08-2021 11:28, FUSTE Emmanuel via bind-users wrote:
>> Le 10/08/2021 à 10:02, Matthijs Mekking a écrit :
>>> Hi users,
>>>
>>> We are planning to deprecate the options 'auto-dnssec' and
>>> 'inl
Hi Emannuel,
Thanks for your response.
On 10-08-2021 11:28, FUSTE Emmanuel via bind-users wrote:
Le 10/08/2021 à 10:02, Matthijs Mekking a écrit :
Hi users,
We are planning to deprecate the options 'auto-dnssec' and
'inline-signing' in BIND 9.18. The reason for this is because
'dnssec-policy'
Le 10/08/2021 à 10:02, Matthijs Mekking a écrit :
> Hi users,
>
> We are planning to deprecate the options 'auto-dnssec' and
> 'inline-signing' in BIND 9.18. The reason for this is because
> 'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
>
> Deprecating means that you can s
Hi users,
We are planning to deprecate the options 'auto-dnssec' and
'inline-signing' in BIND 9.18. The reason for this is because
'dnssec-policy' is the preferred way of maintaining your DNSSEC zone.
Deprecating means that you can still use the options in 9.18, but a
warning will be logged
23 matches
Mail list logo
