On Mon, Mar 10, 2014 at 12:38:34PM +, Graham Clinch wrote:
This isn't quite what I see with inline-signing on 9.9.5:
If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain
until the moment it has an NSEC3 chain.
If I replace an existing NSEC3 chain with a new salt, I seem
Evan Hunt wrote:
>
> What should happen is:
>
> - the old NSEC3PARAM is removed
Isn't that a bit early? Can a secondary transfer the zone while there is
no NSEC3PARAM?
> - a private-type record is created, indicating that a
>new NSEC3 chain is being created
> - all the new NSEC3 records a
On Mon, Mar 10, 2014 at 12:38:34PM +, Graham Clinch wrote:
> This isn't quite what I see with inline-signing on 9.9.5:
>
> If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain
> until the moment it has an NSEC3 chain.
>
> If I replace an existing NSEC3 chain with a new sal
Hi,
Sorry to hijack this older thread, but..
rndc signing -nsec3param ...
I would expect the old NSEC3 chain and old NSEC3PARAM record to be
removed, once the new chain is in place.
(Similarly, the new NSEC3PARAM record will not appear in the zone until
the new NSEC3 chain has been completely
On 02/12/2014 05:17 AM, Chris Thompson wrote:
On Feb 11 2014, David Newman wrote:
[...]
That's interesting. It seems to contradict Lucas' advice to "always
use '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough
and more aren't any more secure."
It's difficult to see how that can
On Feb 11 2014, David Newman wrote:
[...]
That's interesting. It seems to contradict Lucas' advice to "always use
'1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more
aren't any more secure."
It's difficult to see how that can make sense. Increasing the number of
iterations
In message <52fa7d8e@networktest.com>, David Newman writes:
> > It's probably worth noticing what the big operators do, e.g.
> >
> > $ dig +noall +answer +nottl NSEC3PARAM com. edu. net. org.
> > com.IN NSEC3PARAM 1 0 0 -
> > edu.IN NSEC3PARAM
On 2/11/14 7:38 AM, Chris Thompson wrote:
> On Feb 10 2014, Mark Andrews wrote:
>
>> In message <52f94ee2.7080...@ksu.edu>, "Lawrence K. Chen, P.Eng." writes:
> [... snip ...]
>>> On 02/06/14 15:07, Timothe Litt wrote:
> [... snip ...]
>>> > Note also the RFC 5155 recommendation:
>>> >> The salt S
On Feb 10 2014, Mark Andrews wrote:
In message <52f94ee2.7080...@ksu.edu>, "Lawrence K. Chen, P.Eng." writes:
[... snip ...]
On 02/06/14 15:07, Timothe Litt wrote:
[... snip ...]
> Note also the RFC 5155 recommendation:
>> The salt SHOULD be at least 64 bits long and unpredictable, so that
>
gt; On 06/02/2014 12:58, Timothe Litt wrote:
> >>>> On 06-Feb-14 05:56, Cathy Almond wrote:
> >>>>> On 05/02/2014 18:54, David Newman wrote:
> >>>>>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
> >>>>>&g
5/02/2014 18:54, David Newman wrote:
>>>>>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
>>>>>> time a zone's ZSK changes.
>>>>>>
>>>>>> Is this just a matter of a new 'rndc signing&#x
On 06-Feb-14 09:14, Klaus Darilion wrote:
On 06.02.2014 14:58, Cathy Almond wrote:
On 06/02/2014 12:58, Timothe Litt wrote:
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone&#
On 06.02.2014 11:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZSK changes.
Is this just a matter of a new 'rndc signing' command, or is some action
needed to remove the ol
On 06.02.2014 14:58, Cathy Almond wrote:
On 06/02/2014 12:58, Timothe Litt wrote:
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZSK changes.
Is this just a matter of
On 06/02/2014 12:58, Timothe Litt wrote:
> On 06-Feb-14 05:56, Cathy Almond wrote:
>> On 05/02/2014 18:54, David Newman wrote:
>>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
>>> time a zone's ZSK changes.
>>>
>>> Is this
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZSK changes.
Is this just a matter of a new 'rndc signing' command, or is some action
needed to remove the old sa
On 05/02/2014 18:54, David Newman wrote:
> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
> time a zone's ZSK changes.
>
> Is this just a matter of a new 'rndc signing' command, or is some action
> needed to remove the old salt?
>
> than
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZSK changes.
Is this just a matter of a new 'rndc signing' command, or is some action
needed to remove the old salt?
thanks
dn
___
Please visit https:
18 matches
Mail list logo
