Hi,
Maybe you are looking for dnsperf and resperf [1]. We have done some
tests similar to these in [2] and [3], so maybe it helps. Replaying
captures of traffic may also be recommended especially to consider, for example,
queries with no answers. At least for DNSSEC this matters.
[1] http://www.n
Hi,
I just enable bind as caching name server and when watching logs i got
below erros.
error (network unreachable) resolving
'www.indiaresultsalert.com//IN': 2001:503:a83e::2:30#53
error (network unreachable) resolving 'ns-797.awsdns-35.net/A/IN':
2001:503:231d::2:30#53
error (network
On 10 May 2012, at 09:47, Ben wrote:
> I just enable bind as caching name server and when watching logs i got below
> erros.
You seem to be noticing 3 kinds of error.
"Network unreachable" messages refer only to IPv6 destinations.
Perhaps you have IPv6 enabled on the sy
On 10/05/12 09:47, Ben wrote:
Hi,
I just enable bind as caching name server and when watching logs i got
below erros.
It looks like you have broken IPv6 connectivity - your machine believes
it has an IPv6 address and possibly a default route, but it doesn't work.
Check your networking confi
Hi, Bind'ers,
i'm trying to have a TTL of a zone just by typing a command, but i can't
seen which command line i can used to have the solution.
Can someone have an idea? is it possible to found that?
PS: The zone file is not created by me. For example, i made a dig +dnssec
www.google.fr and i wa
William Thierry wrote on 05/10/2012 08:02:57 AM:
> i'm trying to have a TTL of a zone just by typing a command, but i
> can't seen which command line i can used to have the solution.
>
> Can someone have an idea? is it possible to found that?
>
> PS: The zone file is not created by me. For exam
When you do a dig, the TTL is the 2nd column:
;; ANSWER SECTION:
www.google.com. 604800 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 74.125.225.20
www.l.google.com. 300 IN A 74.125.225.19
www.l.google.com. 300 IN A
Barry Margolin wrote:
>
> [Validation is] only untroublesome until someone screws things up on
> their auth server. When one of your users can't access something.gov,
> they'll complain to YOU, even though it's mostly out of your hands.
>
> This is true for other problems on auth servers as well,
In article ,
Tony Finch wrote:
> Barry Margolin wrote:
> >
> > [Validation is] only untroublesome until someone screws things up on
> > their auth server. When one of your users can't access something.gov,
> > they'll complain to YOU, even though it's mostly out of your hands.
> >
> > This is
On 05/10/2012 04:33 PM, Barry Margolin wrote:
In article,
Tony Finch wrote:
Barry Margolin wrote:
[Validation is] only untroublesome until someone screws things up on
their auth server. When one of your users can't access something.gov,
they'll complain to YOU, even though it's mostly ou
On May 10, 2012, at 11:20 AM, Daniel Ryšlink wrote:
>
> On 05/10/2012 04:33 PM, Barry Margolin wrote:
>> In article,
>> Tony Finch wrote:
>>
>>> Barry Margolin wrote:
[Validation is] only untroublesome until someone screws things up on
their auth server. When one of your users can
On 10/05/2012 17:20, Daniel Ryšlink wrote:
> What's the point of DNSSec when resolver administrators configure
> exceptions on regular basis? If you can't be sure when your resolver
> does or does not validate, why having signed zones in the first place?
> It's just seems to be another "shared ill
Warren wrote on 05/10/2012 11:50:30 AM:
> Nope -- Comcast does a large amount of checking before turning off
> validation for a failing domain.
> This is (IMO) more secure than the alternative, which is to simply
> leave it failing, and have users move to a non-validatiing resolver
instead?
D
All,
key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
It has been deleted from the repository at 2012-05-07T14:55:02.569706,
but is still included by named 9.9.0 in the zone framail.de
(as of 2012-05-10T19:51:32).
Is this a bug, triggered by my timing?
Should I wait one more
On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote:
> Warren wrote on 05/10/2012 11:50:30 AM:
>
>> Nope -- Comcast does a large amount of checking before turning off
>> validation for a failing domain.
>> This is (IMO) more secure than the alternative, which is to simply
>> leave it failing,
Hello all.
What random device used for ?
ARM says "Entropy is primarily needed for DNSSEC operations,
such as ... dynamic update of signed zones". I don't get why signing a zone
requires any randomness.
This bothers me as I'm implementing DNSSEC now, and I know that my systems
are low at entropy,
Am 10.05.2012 um 21:32 schrieb Alexander Gurvitz:
> Did you delete it manually (at 2012-05-07T14:55:02.569706) ?
Yes; i.e. my script.
> If so, maybe it's still in the zone because BIND doesn't know the timing
> metadata anymore ?
I thought that would be in the journal or internal repository of na
On May 10, 2012, at 3:41 PM, Alexander Gurvitz wrote:
> Hello all.
>
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.
>
> This bothers me as I'm
Am 10.05.2012 um 19:55 schrieb Axel Rau:
> key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
> It has been deleted from the repository at 2012-05-07T14:55:02.569706,
> but is still included by named 9.9.0 in the zone framail.de
> (as of 2012-05-10T19:51:32).
To clarify: I'm u
Hi there,
On Thu, 10 May 2012, Alexander Gurvitz wrote:
What random device used for ?
Cryptographic operations, loading libraries in random locations to
avoid insidious attacks, that kind of thing.
This bothers me as I'm implementing DNSSEC now, and I know that my systems
are low at entropy
Some signature methods require this, some do not. RSA should not (in general)
but RSA encryption in practice may. Signing is different, in that you know
both halves (encrypted and cleartext) so it should not require padding.
I think DSA does require randomness in signing.
--Michael
On May 10
On Thu, May 10, 2012 at 11:04 PM, Axel Rau wrote:
>
>> Did you delete it manually (at 2012-05-07T14:55:02.569706) ?
> Yes; i.e. my script.
>> If so, maybe it's still in the zone because BIND doesn't know the timing
>> metadata anymore ?
> I thought that would be in the journal or internal reposito
> > key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
> > It has been deleted from the repository at 2012-05-07T14:55:02.569706,
> > but is still included by named 9.9.0 in the zone framail.de
> > (as of 2012-05-10T19:51:32).
>
> To clarify: I'm using inline-signing.
> The repo
In message
, Alexander Gurvitz writes:
> Hello all.
>
> What random device used for ?
> ARM says "Entropy is primarily needed for DNSSEC=A0operations,
> such as ... dynamic update of signed zones". I don't get why signing a zone
> requires any randomness.
It doesn't for RSA. However DSA does r
In message
, Alexander Gurvitz writes:
> On Thu, May 10, 2012 at 11:04 PM, Axel Rau wrote:
> >
> >> Did you delete it manually (at 2012-05-07T14:55:02.569706) ?
> > Yes; i.e. my script.
> >> If so, maybe it's still in the zone because BIND doesn't know the timing
> >> metadata anymore ?
> > I th
In message <532c3631-d503-4dc0-88c9-600a90564...@kumari.net>, Warren Kumari wri
tes:
>
> On May 10, 2012, at 12:52 PM, wbr...@e1b.org wrote:
>
> > Warren wrote on 05/10/2012 11:50:30 AM:
> > =
>
> >> Nope -- Comcast does a large amount of checking before turning off =
>
> >> validation for a f
Hello,
Multiple zones with a single key - is possible with BIND ?
Regards,
Alexander Gurvitz,
net-me.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
> Multiple zones with a single key - is possible with BIND ?
There was a recent discussion on this topic. See thread beginning at
https://lists.isc.org/pipermail/bind-users/2012-April/087481.html. Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
> Comcast has taken a pragmatic view. I'm glad to see they've turned on
> validation, but I can see why they need to configure exceptions. Without
> being able to manage exceptions, large ISPs are not going to turn on
> validation.
Indeed, which brings on the question why BIND (still) doesn't have
29 matches
Mail list logo
