DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

Hello. I'm using BIND 9.9.5. My steps: 1. Sign zone using one 1 ZSK and 2 KSK: a) adding "*auto-dnssec maintain;*" and "*inline-signing yes;*" directive into zone section of named.conf; b) setting publication and activation timestamps to current time in key files; c) *rndc reload*.

Re: Delegation questions

Speaking as a European, at least for now, I suspect the forwarding mindset is more from the enterprise and security culture rather than being territorial. There's a viewpoint that says things are better if they are tightly controlled and predictable, so always using the same configured path fo

RE: Stub Zone Behavior?

Forwarding is a different beast from "stub" (recursive rather than iterative resolution). I'd look at "static-stub", if your NS list is overgrown with useless/unreachable stuff. It's configured basically the same way as forwarding, but without making the paradigm shift (and possible unforeseen

Disabling rate-limit?

I inherited a DNS server which is running BIND 9.8.x. There was a DNS incident where our customers complained that they saw query timeouts intermittently (Our customers run cassandra/hadoop applications and send same queries repeatedly). They also run nscd on their hosts but I was told all have

Re: DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

In message , =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCe0YHRgtCw0L/QtdC90LrQvg==?= writes: > Hello. > > I'm using BIND 9.9.5. > My steps: > >1. Sign zone using one 1 ZSK and 2 KSK: a) adding "*auto-dnssec >maintain;*" and "*inline-signing yes;*" directive into zone section of >named.con

Re: Disabling rate-limit?

On Mon, 15 Aug 2016, blrmaani wrote: I inherited a DNS server which is running BIND 9.8.x. There was a DNS incident where our customers complained that they saw query timeouts intermittently (Our customers run cassandra/hadoop applications and send same queries repeatedly). They also run nscd o

Re: Disabling rate-limit?

Hi Blr, First things first: if your customers are sending queries, this is probably about their own recursive queries timing out, rather than incoming authoritative queries timing out. Something else you should check: are your customers receiving a delayed (say a few seconds) SERVFAIL response, o

Re: Disabling rate-limit?

>From tcpdump, it appears that customers are receiving delayed response and are >too sensitive for timeouts. The queries they are sending are authoritative i.e the zone is on our nameserver. How do I trouble-shoot this issue? This is really intermittent and hard to reproduce.. thanks Blr O