David Alexandre M. de Carvalho wrote:
> So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6).
> Unfortunately no automatic sigining before Bind 9.9, from what I read.
BIND 9.8 has automatic signing, but not inline signing. However nsdiff is
almost as good as inline signing, and I wro
> On 27 Jul 2018, at 1:34 am, Daniel Stirnimann
> wrote:
>
> Hello all,
>
> dnssec-signzone (BIND 9.12.2) sometimes does lowercase DNSSEC records.
> This seems a problem especially for NSEC records which are case
> sensitive. dnssec-verify is moaning with errors like this:
The case of the na
> While this is not a problem for BIND to load the zone it seems
> unexpected to me. Should dnssec-signzone not remove obsolete signatures?
Found out that this issue is fixed in BIND 9.11.0a1:
4305. [bug]dnssec-signzone was not removing unnecessary rrsigs
from the zone's apex.
On Tue, Oct 28, 2014 at 04:48:20AM +1100, shm...@riseup.net wrote:
> i couldn't sign a zone with the draft SMIMEA RR from debian jessie based OS
It's not yet been implemented in BIND.
I expect we will, but not until it's at least been allocated a type code
(see http://www.iana.org/assignments/dns
On 4/25/2013 11:57 AM, Evan Hunt wrote:
The warning is spurious and has been fixed in 9.9.3. It was incorrectly
checking to see whether there were any DNSKEY records in the zone *before*
loading them from the key files. It should have been doing so afterward,
obviously.
Ah, okay, thanks for
> dnssec-signzone -d /path/to/dsset -K /path/to/keys -3 00 -f
> zone.signed -e +3024000 -j 1800 -o zone.edu -r /dev/urandom -S -T 12h
> /path/to/input
>
> dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY;
> ignoring
> Fetching ZSK 59544/RSASHA256 from key repository.
On Mon, 17 Sep 2012, Evan Hunt wrote:
Does anyone use dnssec-signzone with -x? If so, can you check/tell me
your DNSKEY RRset?
I just tested it with "dnssec-signzone -Sx example.com" and
"dnssec-signzone -x example.com", on 9.9.2 and 9.7.4, and it worked
as expected in all cases.
Were you si
> Does anyone use dnssec-signzone with -x? If so, can you check/tell me
> your DNSKEY RRset? And if it works, could you reveal the full
> commandline argument used, the bind version, and whether any pkcs#11
> provider was compiled in?
I just tested it with "dnssec-signzone -Sx example.com" and
"dn
On 03/08/2012 18:00, John Marshall wrote:
> On 03/08/2012 09:28, John Marshall wrote:
>> The behaviour of the dsset file generation appears to be unaffected by
>> the smart signing switch (-S). The generated dsset file includes all
>> KSK's found in the key repository (-K) irrespective of any timin
On 03/08/2012 09:28, John Marshall wrote:
> The behaviour of the dsset file generation appears to be unaffected by
> the smart signing switch (-S). The generated dsset file includes all
> KSK's found in the key repository (-K) irrespective of any timing
> metadata (e.g. deleted). The dnssec-settime
On Tue, 1 Nov 2011, Paul Wouters wrote:
There have been discussions in the past over this, but we were once again
bitten by this dnssec-signzone bug:
Tue Nov 1 12:11:28 2011 signDomain: sign command:
/usr/sbin/dnssec-signzone -C -u -r /dev/random -t -o openswan.org -f
/var/tmp/openswan.org
On Tue, 1 Nov 2011, Paul Wouters wrote:
There have been discussions in the past over this, but we were once again
bitten by this dnssec-signzone bug:
Tue Nov 1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone
-C -u -r /dev/random -t -o openswan.org -f /var/tmp/openswan.org.
> Seeing this after upgrading to 9.6.2-P1.
>
> We've made no other changes to the host or any configuration files, etc.
>
> /var/named # dnssec-signzone -g -o xxx.xxx.gov.au db.xxx.xxx.gov.au
> dnssec-signzone: fatal: no self signed KSK's found
When dnssec-signzone has finished signing, it chec
On Tue, Mar 30, 2010 at 01:50:23PM +1100, chris liesfield wrote:
> Here's the output ...
> /var/named # named-checkzone sro.vic.gov.au db.sro.vic.gov.au
> zone sro.vic.gov.au/IN: loaded serial 2010033001
> OK
>
> I chose level 7 debugging to yield as much information as possible, so sorry
> for th
On Tue, Mar 30, 2010 at 12:39:58PM +1100, chris liesfield wrote:
> Seeing this after upgrading to 9.6.2-P1.
> We've made no other changes to the host or any configuration files, etc.
> /var/named # dnssec-signzone -g -o xxx.xxx.gov.au db.xxx.xxx.gov.au
> dnssec-signzone: fatal: no self signed KSK'
15 matches
Mail list logo
