On 12-07-20 07:16 PM, Mark Andrews wrote:
>
> "dnssec-validation auto;"
Well, this seems to have done the trick. Changing it from yes to auto
has eliminated most (almost all in fact) of the validation
warnings/errors I was getting in my logs.
> tells named to use the compiled
>
In message <500985c0.3000...@interlinx.bc.ca>, "Brian J. Murrell" writes:
> On 12-07-20 11:40 AM, Mark Andrews wrote:
> >=20
> > In message <500978a5.4070...@imperial.ac.uk>, Phil Mayers writes:
> >> On 20/07/12 16:21, Mark Andrews wrote:
> >>>
> >>> In message <50096c2b.1080...@interlinx.bc.ca>,
On 12-07-20 11:40 AM, Mark Andrews wrote:
>
> In message <500978a5.4070...@imperial.ac.uk>, Phil Mayers writes:
>> On 20/07/12 16:21, Mark Andrews wrote:
>>>
>>> In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
Just for good measure, since I think I have posted this b
In message <500978a5.4070...@imperial.ac.uk>, Phil Mayers writes:
> On 20/07/12 16:21, Mark Andrews wrote:
> >
> > In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
> >> Just for good measure, since I think I have posted this before, but here
> >> are the options I have set
On 20/07/12 16:21, Mark Andrews wrote:
In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
Just for good measure, since I think I have posted this before, but here
are the options I have set in my bind configuration with regard to dnssec=
:
dnssec-enable yes;
In message <50096c2b.1080...@interlinx.bc.ca>, "Brian J. Murrell" writes:
> Just for good measure, since I think I have posted this before, but here
> are the options I have set in my bind configuration with regard to dnssec=
> :
>
> dnssec-enable yes;
> dnssec-validation yes;
>
On 20/07/12 15:33, Brian J. Murrell wrote:
On 12-07-20 09:11 AM, Phil Mayers wrote:
Or, what happens if you start bind up in debug mode and run the query?
There will be a lot of output, but I've found most problems to be fairly
obvious if you read through it.
Yeah, there is a lot of output.
On 12-07-20 10:42 AM, Mark Andrews wrote:
>
> The NS RRset is the delegation records and as such has no RRSIGs.
> If you turn on minimal-responses the NS rrset won't be added and
> AD won't be cleared. AD is only set to 1 if all the records in the
> answer and authority sections are marked as se
In message , "Brian J. Murrell" writes:
> On 12-07-20 08:34 AM, Brian J. Murrell wrote:
> >=20
> > The problem here seems to be fragmented UDP.
>
> I seem to have misdiagnosed this due to tcpdump peculiarities. I only
> initially saw/suspected the problem since my capture for port 53
> packets w
On 12-07-20 09:11 AM, Phil Mayers wrote:
>
> Or, what happens if you start bind up in debug mode and run the query?
> There will be a lot of output, but I've found most problems to be fairly
> obvious if you read through it.
Yeah, there is a lot of output. Too big of a haystack for me to find
th
On Fri, Jul 20, 2012 at 6:03 AM, Brian J. Murrell wrote:
> On 12-07-20 08:34 AM, Brian J. Murrell wrote:
> >
> > The problem here seems to be fragmented UDP.
>
> I seem to have misdiagnosed this due to tcpdump peculiarities. I only
> initially saw/suspected the problem since my capture for port 5
In message <50095065.3050...@interlinx.bc.ca>, "Brian J. Murrell" writes:
>
> On 12-05-15 09:01 AM, Phil Mayers wrote:
> >=20
>
> Sorry about the way delayed response. There seems to be some confusion
> about which list/group gmane is following.
> =20
> > Isn't it more likely it's a local probl
On 20/07/12 14:03, Brian J. Murrell wrote:
# dig +dnssec @localhost 119.in-addr.arpa SOA
; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713
;; flags: qr rd ra; QUERY
On 12-07-20 08:34 AM, Brian J. Murrell wrote:
>
> The problem here seems to be fragmented UDP.
I seem to have misdiagnosed this due to tcpdump peculiarities. I only
initially saw/suspected the problem since my capture for port 53
packets was including (only the first) ipv4 fragments. When addin
On 12-05-15 09:01 AM, Phil Mayers wrote:
>
Sorry about the way delayed response. There seems to be some confusion
about which list/group gmane is following.
> Isn't it more likely it's a local problem?
Indeed. But what, is the question (and I do have the answer, now --
see below).
> Which v
On 15/05/12 13:22, Brian J. Murrell wrote:
On 12-05-02 09:29 AM, Mark Andrews wrote:
* a firewall blocking EDNS queries.
* using a non DNSSEC enabled forwarder so you don't get signatures.
* a firewall blocking fragmented UDP and named falling back to
plain DNS.
* other packet loss causing n
On 12-05-02 09:29 AM, Mark Andrews wrote:
>
> * a firewall blocking EDNS queries.
> * using a non DNSSEC enabled forwarder so you don't get signatures.
> * a firewall blocking fragmented UDP and named falling back to
> plain DNS.
> * other packet loss causing named to fallback to plain DNS.
Gi
On 12-05-02 09:29 AM, Mark Andrews wrote:
>
>
> The zones are signed. Possible reason are:
>
> * a firewall blocking EDNS queries.
This shouldn't be the case. Outgoing traffic from the bind9 server
being used here should be completely unfettered.
> * using a non DNSSEC enabled forwarder so y
In message , "Brian J. Murrell" writes:
> Not having dipped my toe into DNSSEC yet (yes, I know, but time is
> always so scarce)...
>
> So I am seeing a bunch of this sort of thing in my BIND logs now:
>
> 04:02:18 named validating @0xb0f58988: 124.in-addr.arpa SOA: no valid sig=
> nature found
Not having dipped my toe into DNSSEC yet (yes, I know, but time is
always so scarce)...
So I am seeing a bunch of this sort of thing in my BIND logs now:
04:02:18 named validating @0xb0f58988: 124.in-addr.arpa SOA: no valid signature
found
04:02:18 named validating @0xb0f58988: 124.in-addr.arpa
20 matches
Mail list logo
