Re: dnssec-keygen not responding

On Wed, Nov 30, 2011 at 12:18:04AM -0500, Alan Clegg wrote: > On 11/30/2011 12:15 AM, vishesh kumar wrote: > > Hi All > > > > I am trying to generate keys for signing vishesh.com > > domain using following command (for testing purpose) > > > > dnssec-keygen -a RSASHA1 -b 768

Re: dnssec-keygen not responding

Am Wed, 30 Nov 2011 09:40:44 +0100 schrieb Adam Tkac : > On Wed, Nov 30, 2011 at 12:18:04AM -0500, Alan Clegg wrote: > > On 11/30/2011 12:15 AM, vishesh kumar wrote: > > > Hi All > > > > > > I am trying to generate keys for signing vishesh.com > > > domain using following com

Re: Choosing max-journal-size

On 11/29/2011 11:53 PM, Doug Barton wrote: On 11/29/2011 15:33, Chris Thompson wrote: With a mixture of small and large zones, signed and unsigned, choosing sensible values for max-journal-size can become rather tedious (unless one is prepared to to say "disc space is cheap, make them all"). I

Re: Choosing max-journal-size

On 11/29/2011 11:33 PM, Chris Thompson wrote: With a mixture of small and large zones, signed and unsigned, choosing sensible values for max-journal-size can become rather tedious (unless one is prepared to to say "disc space is cheap, make them all "). We sort of did this accidentally. "max-jo

Re: Choosing max-journal-size

On 11/30/2011 01:23, Phil Mayers wrote: > On 11/29/2011 11:53 PM, Doug Barton wrote: >> On 11/29/2011 15:33, Chris Thompson wrote: >>> With a mixture of small and large zones, signed and unsigned, choosing >>> sensible values for max-journal-size can become rather tedious (unless >>> one is prepare

Re: Choosing max-journal-size

On 11/29/2011 11:33 PM, Chris Thompson wrote: With a mixture of small and large zones, signed and unsigned, choosing sensible values for max-journal-size can become rather tedious (unless one is prepared to to say "disc space is cheap, make them all "). On 30.11.11 09:32, Phil Mayers wrote: We

Re: Choosing max-journal-size

On 30/11/2011 10:32, Phil Mayers wrote: > We sort of did this accidentally. "max-journal-size" wasn't being set on > our servers - the .jnl file for "imperial.ac.uk" was nearly 2Gb... oops. > > The value I set it to eventually was pretty big - 128M globally - which > on our biggest zones seems to

Re: Choosing max-journal-size

On 30/11/11 10:09, Matus UHLAR - fantomas wrote: Well, that's way too much. The main point of journal is imho to provide I think this is a decision for each operator to make themselves. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-use

found a bug in bind9.7.3

hello, bind-users, I found a bug at openssl patch in bind 9.7.3. pk11_active_add function should be called with the active list lock protection in pk11_get_private_rsa_key function at hw_pk11so_pub.c file, but it is not locked. the other question is that why pFuncList->C_Finalize is commented in

Re: Choosing max-journal-size

On 30/11/11 10:09, Matus UHLAR - fantomas wrote: Well, that's way too much. The main point of journal is imho to provide On 30.11.11 11:51, Phil Mayers wrote: I think this is a decision for each operator to make themselves. I was trying to explain that there are reasonable limits over which

Re: Choosing max-journal-size

In article , Matus UHLAR - fantomas wrote: > >On 30/11/11 10:09, Matus UHLAR - fantomas wrote: > >>Well, that's way too much. The main point of journal is imho to provide > > On 30.11.11 11:51, Phil Mayers wrote: > >I think this is a decision for each operator to make themselves. > > I was try

Re: Choosing max-journal-size

On Wed, Nov 30, 2011 at 11:09:48AM +0100, Matus UHLAR - fantomas wrote: > Well, that's way too much. The main point of journal is imho to > provide IXFR, and IXFR is only worth using when its size is smaller > than AXFRs. > > That means jnl should not get (much) bigger than zone file itself. > (un

Re: Choosing max-journal-size

On 30/11/11 12:10, Matus UHLAR - fantomas wrote: On 30/11/11 10:09, Matus UHLAR - fantomas wrote: Well, that's way too much. The main point of journal is imho to provide On 30.11.11 11:51, Phil Mayers wrote: I think this is a decision for each operator to make themselves. I was trying to ex

Re: make bind-9.7.4-P1 fails when --prefix and --exec-prefix switches are used

Hi, I am facing this issue while compiling 9.7.4-p1 in solaris 10 box.Please suggest me what could be the issue. ./configure --prefix=/opt/bind971-NXD-1 --enable-threads --enable-largefiles --disable-openssl-version-check configure: WARNING: unrecognized options: --enable-largefiles checking b

Re: make bind-9.7.4-P1 fails when --prefix and --exec-prefix switches are used

On 30/11/2011 17:27, jagan padhi wrote: > Hi, > > I am facing this issue while compiling 9.7.4-p1 in solaris 10 box.Please > suggest me what could be the issue. > > > ./configure --prefix=/opt/bind971-NXD-1 --enable-threads > --enable-largefiles --disable-openssl-version-check > > configure: W

Re: make bind-9.7.4-P1 fails when --prefix and --exec-prefix switches are used

On Wed, 30 Nov 2011, jagan padhi wrote: > checking build system type... sparc-sun-solaris2.10 > checking for a sed that does not truncate output... ./configure: line 4579: > /usr/bin/cmp: cannot execute binary file What does this tell you? file /usr/bin/cmp (Maybe you have /usr/bin/cmp for

Re: sub-domain setup

On Mon 28.Nov.11 14:39, Doug Barton wrote: On 11/28/2011 10:20, Dan McDaniel wrote: I'm setting up a new DNS server. We have two offices linked by a VPN. I'm trying to decide whether to have everything under a single domain (example.com) or to split them into sub-domains (office1.example.com, o

Re: Choosing max-journal-size

On Nov 30, 2011, at 4:09 AM, Matus UHLAR - fantomas wrote: >> On 11/29/2011 11:33 PM, Chris Thompson wrote: >> I wonder if an external tool to "trim" the journal would be an option? You'd >> need a timestamp on records (relying on the RRSIGs mean it only works for >> signed). Not sure about the

Re: dnssec-keygen not responding

On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote: > In RHEL there is a RPM package called unuran. > It's a random number generator daemon using either a piece of hardware or > /dev/urandom as source. Running this will provide enough entropy to create > lots of keys. I'd be rather wary of keys

Re: found a bug in bind9.7.3

Hello 张海阔, I've opened a bug ticket for this one. I don't know that bind-users is a good place to continue discussions, but consider perhaps bind-workers (which is more for coders). I'll send you a link to the bug in separate message. --Michael On Nov 30, 2011, at 6:09 AM, 张海阔 wrote: > hell

Re: dnssec-keygen not responding

On Wed, 2011-11-30 at 13:45 -0600, Michael Graff wrote: > On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote: > > In RHEL there is a RPM package called unuran. > > It's a random number generator daemon using either a piece of hardware or > > /dev/urandom as source. Running this will provide enough

Re: Algorithm 'When to use EDNS0'?

On Tue, 2011-11-29 at 15:36 +0200, Mark Elkins wrote: > When does 'EDNS' get brought into the picture? > A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) - > but a dig without '+dnssec' and actually asking for the 'dnskey' records > for a domain - which is over 512 bytes - does

Re: Algorithm 'When to use EDNS0'?

In message <1322689151.15146.69.ca...@mjelap.posix.co.za>, Mark Elkins writes: > On Tue, 2011-11-29 at 15:36 +0200, Mark Elkins wrote: > > When does 'EDNS' get brought into the picture? > > A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) - > > but a dig without '+dnssec' and

Re: dnssec-keygen not responding

On Wed, 30 Nov 2011, Michael Graff wrote: On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote: In RHEL there is a RPM package called unuran. It's a random number generator daemon using either a piece of hardware or /dev/urandom as source. Running this will provide enough entropy to create lots

RE: dnssec-keygen not responding

> I'd be rather wary of keys made from /dev/urandom but I am often times a > paranoid security freak. Inexpensive USB-attachable RNG: http://www.entropykey.co.uk/ Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit htt