Re: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-18 Thread Evan Hunt
On Fri, Nov 18, 2011 at 11:57:51PM +, Spain, Dr. Jeffry A. wrote: > I'd like to ask for clarification on the operational issue stated below. > Suppose there are no current changes to an inline-signed master zone, > i.e. myzone.db.signed timestamp is later than myzone.db timestamp. In > this cir

RE: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-18 Thread Spain, Dr. Jeffry A.
painj=countryday@lists.isc.org] On Behalf Of Evan Hunt Sent: Friday, November 11, 2011 12:48 PM To: Adam Tkac Cc: bind-users@lists.isc.org Subject: Re: OT: Bind 9.9.0B1 Inline-Signing Question I should mention that there is a known operational issue in the current version of inline-signing that you s

Re: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-11 Thread Evan Hunt
> I have just one question, what should inline-zone admin do? I assume > that named automatically regenerates & removes expired RRSIGs so is it > sufficient to put new KSK and ZSK to the key-directory when needed and > revoke older ones? Thanks for your answer in advance. Yes, it will keep RRSIGs

Re: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-11 Thread Jan-Piet Mens
> So the error being logged isn't really an error, it just looks like > one; we should probably see about silencing it. The error is indeed confusing, maybe it should say "not yet signed" ? 11-Nov-2011 12:32:35.838 zone inline.aa/IN/internal (unsigned): loaded serial 2 11-Nov-2011 12:32:35.838 zo

Re: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-11 Thread Adam Tkac
On 11/10/2011 11:16 PM, Evan Hunt wrote: >> I know that this isn't the forum for betas > Sure it is. :) > >> We have been testing with the alphas and now with the beta. What we are >> seeing is that whenever named starts, it initially creates the signed >> static zone file, but never really finishe

Re: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-10 Thread Evan Hunt
> I know that this isn't the forum for betas Sure it is. :) > We have been testing with the alphas and now with the beta. What we are > seeing is that whenever named starts, it initially creates the signed > static zone file, but never really finishes. What do you mean by "never really finishes"

Re: OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-10 Thread Michael Graff
Do you see that each time named starts or just on the first load of the zone? What happens if you send a query to the server with dig +dnssec? On Nov 10, 2011, at 14:23, "McConville, Kevin" wrote: > I know that this isn’t the forum for betas, which is why I put off-topic on > the subject li

OT: Bind 9.9.0B1 Inline-Signing Question

2011-11-10 Thread McConville, Kevin
I know that this isn't the forum for betas, which is why I put off-topic on the subject line. We are trying to implement DNSSEC for our static zones. While the dynamic signing has been automated, static inline-signing isn't available until Bind 9.9 We have been testing with the alphas and now