On 05/02/2014 18:54, David Newman wrote:
> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
> time a zone's ZSK changes.
>
> Is this just a matter of a new 'rndc signing' command, or is some action
> needed to remove the old salt?
>
> thanks
>
> dn
rndc signing -nsec3param
Hi!
I just noticed that on "rndc signing -clear all zone", Bind removes the
private RRs, updates the NSEC3 RR, and increases the serial, but it does
not send NOTIFYs.
I guess this is a bug.
I tested bind 9.9.5, with inline-signing of a zone.
regards
Klaus
___
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZSK changes.
Is this just a matter of a new 'rndc signing' command, or is some action
needed to remove the old salt?
thanks
dn
On Feb 3 2014, Michael McNally wrote:
[...]
The remainder of this posting explains the potential issue,
which we believe will not affect most operators, but you
should be aware of the potential in case you are one of
those affected. This explanation is also provided in our
Knowledge Base: https
On 06/02/2014 12:58, Timothe Litt wrote:
> On 06-Feb-14 05:56, Cathy Almond wrote:
>> On 05/02/2014 18:54, David Newman wrote:
>>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
>>> time a zone's ZSK changes.
>>>
>>> Is this just a matter of a new 'rndc signing' command, or i
Hi everyone,
I just tried connecting bind9 to a MS-SQL database via ODBC (DLZ).
I'm just writing to say that there is an error (actually several) in the
bind9 DLZ driver for ODBC.
Somebody with write access to the repo should correct it, please.
The error is in this file:
bind9/bind-9.9.5/contr
On 06.02.2014 14:58, Cathy Almond wrote:
On 06/02/2014 12:58, Timothe Litt wrote:
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZSK changes.
Is this just a matter of a new
On 06.02.2014 11:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZSK changes.
Is this just a matter of a new 'rndc signing' command, or is some action
needed to remove the old salt?
thanks
d
What is the best way to disable RPZ for a few clients (without forcing
those clients to use different DNS server IPs)? I think I could
create a new view that has all the same zones and zone contents except
for the RPZ one. If I go this route, is it still required to set up
per-view IP aliases on
On 02/06/2014 06:27 AM, Chuck Anderson wrote:
I was kinda hoping that newer
versions of BIND could share zones (with identical zone contents)
between views without requiring the messy multiple IP alias setup.
You have always been able to do this with include files.
hth,
Doug
On 02/06/2014 04:27 AM, Klaus Darilion wrote:
Hi!
I just noticed that on "rndc signing -clear all zone", Bind removes the
private RRs, updates the NSEC3 RR, and increases the serial, but it does
not send NOTIFYs.
I guess this is a bug.
I tested bind 9.9.5, with inline-signing of a zone.
Does
On Thu, Feb 06, 2014 at 09:50:26AM -0800, Doug Barton wrote:
> On 02/06/2014 06:27 AM, Chuck Anderson wrote:
> >I was kinda hoping that newer
> >versions of BIND could share zones (with identical zone contents)
> >between views without requiring the messy multiple IP alias setup.
>
> You have alwa
On Thu, Feb 06, 2014 at 03:10:03PM -0500, Chuck Anderson wrote:
> > You have always been able to do this with include files.
>
> I'm not sure how this helps. If you do this:
>
> Then the "global" view sees updates to example.com quickly, as soon as
> NOTIFY is sent by the master and the zone is
On Thu, 6 Feb 2014, Chuck Anderson wrote:
On Thu, Feb 06, 2014 at 09:50:26AM -0800, Doug Barton wrote:
On 02/06/2014 06:27 AM, Chuck Anderson wrote:
I was kinda hoping that newer
versions of BIND could share zones (with identical zone contents)
between views without requiring the messy multiple
On Thu, Feb 06, 2014 at 02:49:03PM -0600, Jay Ford wrote:
> I like the "trick" of having view A pull the zone from the real master &
> notify view B, while view B pulls the zone locally from view A, using TSIG
> keys to indicate the "other" view for the notify & transfer.
>
> Adapting your config,
On Thu, 6 Feb 2014, Chuck Anderson wrote:
Neat. Is there any problem with using the exact same zone file in
both views? I worry that one view might fight with the file from the
other view...
Oh yeah, sorry, I left that bit out. The slave files do need to be unique or
they will over-write ea
On 06-Feb-14 09:14, Klaus Darilion wrote:
On 06.02.2014 14:58, Cathy Almond wrote:
On 06/02/2014 12:58, Timothe Litt wrote:
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's ZS
17 matches
Mail list logo
