Unable to generate DNSSEC keys stored in HSM

Hello, I have BIND 9.10 compiled with native PKCS#11 support and Thales nShield Connect HSM. The problem is with dnssec-keyfromlabel that is unable to generate key pair from HSM. First, the keys were generated in HSM using OpenDNSSEC. The keys are correctly listed by following command: $ sudo

expired KSK, other domains failed to resolve?

I wish I had the foresight to same the dig traces But, on Tuesday we had a strange DNS outage. I have 3 outside facing authoritative-only nameservers named ns-1.ksu.edu, ns-2.ksu.edu, ns-3.ksu.edu, which are all slaves off our hidden master server. that in addition to being the authority

Re: Negation in view match-clients ACL doesn't work?

On 04/08/2015 21:29, Darcy Kevin (FCA) wrote: > The short answer is that that is how address-match-lists work: a non-negated > match allows access, a negated match denies access, and if there is *no* > match, access is denied. The only real reason to use a negated match, > therefore, is when wha

Re: expired KSK, other domains failed to resolve?

On Thu, Aug 6, 2015 at 4:16 AM, Lawrence K. Chen, P.Eng. wrote: > So, in running some testsI found that "dig +trace kstatesports.com" > would get to ns-1.ksu.edu show couple NSEC3 records and stop. > $ dig +short kstatesports.com ns ns-2.ksu.edu. ns-3.ksu.edu. ns-1.ksu.edu. Because the ksta

Question on "--with-libxml2" option while compiling on Sparc Solaris 10 and the Configuration Summary output.

Hello This is what I get in the summary after I run configure on BIND 9.10.2P3 source code when I use the "-with-libxml2" option for compiling . As we can see the summary says that the option has been enabled. Configuration summary: --

Re: Question on "--with-libxml2" option while compiling on Sparc Solaris 10 and the Configuration Summary output.

The 9.10.2P3 build shows that '--enable-full-report' was set, while 9.9.7P2 doesn't have this configure option set. In the configure script it has libxml2 in the block that is only printed if '--enable-full-report' is set. On 2015-08-06 14:29, Bhangui, Sandeep - BLS CTR wrote: > Hello > > Thi

Re: do not stupidly delete ZSK files

On 2015-07-31 06:33, Tony Finch wrote: Most zones have four authoritative nameservers, only one of which I manage. Of the three I don't manage, I'm pretty sure at least two have no DNSSEC-specific configuration -- a hint that any DNSSEC records they serve come from this hidden primary. The DN

New BIND betas are available: 9.9.8b1 and 9.10.3b1

New development versions of BIND are available. Release notes can be found at: BIND 9.9.8b1: ftp://ftp.isc.org/isc/bind9/9.9.8b1/RELEASE-NOTES.bind-9.9.8b1.html BIND 9.10.3b1: ftp://ftp.isc.org/isc/bind9/9.10.3b1/RELEASE-NOTES.bind-9.10.3b1.html Along with minor features such as new op

Re: do not stupidly delete ZSK files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 00:23 schrieb Lawrence K. Chen, P.Eng.: > > > On 2015-07-31 06:33, Tony Finch wrote: >>> Most zones have four authoritative nameservers, only one of >>> which I manage. Of the three I don't manage, I'm pretty sure at >>> least two ha

configuration error in lists.isc.org

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Nothing concerning Bind, but still relevant to all list users: Just wanted to let you all know about a configuration error on lists.isc.org. It doesn't rewrite any email headers, only reflects incoming messages to all list members which leads to

Re: do not stupidly delete ZSK files

On 2015-08-06 17:54, Heiko Richter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 00:23 schrieb Lawrence K. Chen, P.Eng.: On 2015-07-31 06:33, Tony Finch wrote: Most zones have four authoritative nameservers, only one of which I manage. Of the three I don't manage, I

Re: configuration error in lists.isc.org

On Fri, Aug 07, 2015 at 01:25:37AM +0200, Heiko Richter wrote: > Nothing concerning Bind, but still relevant to all list users: > > Just wanted to let you all know about a configuration error on > lists.isc.org. It doesn't rewrite any email headers, only reflects > incoming messages to all list me

[OT] Re: configuration error in lists.isc.org

On Aug 6, 2015, at 4:25 PM, Heiko Richter wrote: > Whenever I post something to the list (I'm not using SMTP, I'm using a > usenet server to post to comp.protocols.dns.bind), my postmaster > address receives DMARC notifications from list members that have > employed this wonderful protocol on thei

Re: do not stupidly delete ZSK files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 01:55 schrieb Lawrence K. Chen, P.Eng.: > > > On 2015-08-06 17:54, Heiko Richter wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> Am 07.08.2015 um 00:23 schrieb Lawrence K. Chen, P.Eng.: >>> >>> >>> On 2015-07-31 06:3

Re: do not stupidly delete ZSK files

On 2015-08-06 17:26, Heiko Richter wrote: Root is signed with RSASHA256 at the moment. There is no sence in having a more secure algorithm because anybody who can't crack that algorithm may just attack the weakest link in the chain above you. This only holds while assuming similar key rotation

Re: do not stupidly delete ZSK files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 02:35 schrieb Dave Warren: > On 2015-08-06 17:26, Heiko Richter wrote: >> Root is signed with RSASHA256 at the moment. There is no sence in >> having a more secure algorithm because anybody who can't crack that >> algorithm may just at

Re: [OT] Re: configuration error in lists.isc.org

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 02:03 schrieb Charles Swiger: > On Aug 6, 2015, at 4:25 PM, Heiko Richter > wrote: >> Whenever I post something to the list (I'm not using SMTP, I'm >> using a usenet server to post to comp.protocols.dn

Re: do not stupidly delete ZSK files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2015-08-07 at 02:46 +0200, Heiko Richter wrote: > Sadly automated KSK rollover isn't supported by most registrars, Yes, but I only need one registrar to support it :) I have python code that uses the gkg.net API to do automated KSK generation

Re: do not stupidly delete ZSK files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 07.08.2015 um 03:36 schrieb Carl Byington: > -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > On Fri, 2015-08-07 at 02:46 +0200, Heiko Richter wrote: >> Sadly automated KSK rollover isn't supported by most registrars, > > Yes, but I only need one

Re: do not stupidly delete ZSK files

On Thu, Aug 6, 2015 at 7:55 PM, Lawrence K. Chen, P.Eng. wrote: > Ok, so way back thenthey were running servers that didn't support > NSEC3 RRs and it had nothing to do with what algorithm we were using5 > for RSASHA1 or 7 for RSASHA1-NSEC3-SHA1. > DNSSEC introduces: new records (and typ

Re: do not stupidly delete ZSK files

On 2015-08-06 19:26, Heiko Richter wrote: Though back then I was still building bind 32-bit, and the hardware as much slower. A full signing was more than 10x longer than our current hardwarewhich can get it done in just under a minute. (usually) The need for speed is some people expect

Re: configuration error in lists.isc.org

On 2015-08-06 19:00, /dev/rob0 wrote: My SPF record doesn't include lists.ist.org, of course and it never will. Furthermore it ends with "-all" so all my messages to the list are being rejected by list members who have spf aware servers. No, GNU Mailman (which is the software behind lists.i

Re: [OT] Re: configuration error in lists.isc.org

On Aug 6, 2015, at 4:25 PM, Heiko Richter mailto:em...@heikorichter.name>> wrote: Whenever I post something to the list (I'm not using SMTP, I'm using a usenet server to post to comp.protocols.dns.bind), my postmaster address receives DMARC notifications from list members that have employed this

tsig zone sharing between zones check + scream

Gjust noticed that about 12 hours ago, the business office person finally update our KSK with registrar. (where window was last month.) Well, apparently history must repeat 3 years ago, we rolled over from RSASHA256 to RSASHA256... but the person that did all the interaction with r

Re: configuration error in lists.isc.org

Am 07.08.2015 um 01:25 schrieb Heiko Richter: Whenever I post something to the list (I'm not using SMTP, I'm using a usenet server to post to comp.protocols.dns.bind), my postmaster address receives DMARC notifications from list members that have employed this wonderful protocol on their servers