Re: Understanding cause of DNS format error (FORMERR)

2012-06-23 Thread Carsten Strotmann (private)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gabriele, On 6/22/12 11:22 AM, Gabriele Paggi wrote: > I'm a BIND novice and I'm trying to understand what causes my > BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried > for the A record of vlasext.partners.extranet.microsoft.

Re: Understanding cause of DNS format error (FORMERR)

2012-06-23 Thread Carsten Strotmann (private)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gabriele, On 6/22/12 11:22 AM, Gabriele Paggi wrote: > I'm a BIND novice and I'm trying to understand what causes my > BIND9 resolver (bind97-9.7.0-10.P2) to return an error when queried > for the A record of vlasext.partners.extranet.microsoft

Seeking Advice on DNSSEC Algorithm Rollover

2012-06-23 Thread Spain, Dr. Jeffry A.
I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but section 4.9 presents some clues. I'd like to ask the experts on this list if the following procedure might accomplish an algorithm rollover cleanly

Re: Understanding cause of DNS format error (FORMERR)

2012-06-23 Thread Gabriele Paggi
Hello Carsten, Thanks for your reply! about the FORMERR. This might be caused by a Firewall or other middlebox that truncates the large answer containing the NS record set for this domain. I see the same if I try to fetch the delegation NS records from the parent domain (microsoft.com) for part

Re: Understanding cause of DNS format error (FORMERR)

2012-06-23 Thread Gabriele Paggi
Hello Carsten, At Men& Mice I've investigated this issue a few weeks ago for one of our customers. At that point of time, we've seen NS records with private addresses: That's interesting but it still doesn't explain why BIND reports a format error in the reply it receives. The reply is nonsens

Re: Understanding cause of DNS format error (FORMERR)

2012-06-23 Thread Gabriele Paggi
Hello Jeffry, FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver. On this system "dig @localhost vlasext.partners.extranet.microsoft.com a" returns the answer 70.42.230.20 and identifies dns11.one.microsoft.com (94.245.124.49) as one of four authoritative servers. "dig @

Re: Seeking Advice on DNSSEC Algorithm Rollover

2012-06-23 Thread Alexander Gurvitz
Hello. I don't think that bind trying to sign with non-existent key will do any harm - probably just warning. But it's simpler - change metadata of the key - set deletion time to the time you want the key to be deleted (like DS deletion time+TTL). Bind with auto-dnnsec allow re-reads the metadata