Re: Non-disruptive migration to dnssec-policy possible?

2020-04-06 Thread Matthijs Mekking
To follow-up, Migration from existing keys to dnssec-policy was indeed not working properly, because the internal key states were not initialized properly. Key states were always initialized as "HIDDEN" and that is why the keymgr thought it could delete those keys immediately. The fix is to look

Re: Can we provide recursion for forward zones in response to iterative queries?

2020-04-06 Thread Tony Finch
> Because the AD domain controllers already own 10.in-addr.arpa, they > refuse to allow us to configure conditional forwarding for its > subdomains. So we delegated the subdomains to the inbound endpoints. > Because they are delegations, the domain controllers set the recursion > desired flag to 0

dnssec-signzone

2020-04-06 Thread David Alexandre M. de Carvalho
Hi all. So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6). Unfortunately no automatic sigining before Bind 9.9, from what I read. I can't sign my zone, I keep getting "dnssec-signzone: fatal: No signing keys specified or found." By now I've tried to move the files generated with dn

Re: Can we provide recursion for forward zones in response to iterative queries?

2020-04-06 Thread Chris Buxton
On Apr 3, 2020, at 9:06 AM, bind-li...@iano.org wrote: > Because the AD domain controllers already own 10.in-addr.arpa, they refuse to > allow us to configure conditional forwarding for its subdomains. So we > delegated the subdomains to the inbound endpoints. Because they are > delegations, the

[Fwd: dnssec-signzone]

2020-04-06 Thread David Alexandre M. de Carvalho
Hi again. So finally i was able to sign my zone thanks to a different (older) tutorial. I specified dnssec-signzone with flags -o and -S and it worked! If anyone could please answer these questions, I would appreciate it 1) do I need to generate those 2 .key and .private files if I intend to sign

Re: dnssec-signzone

2020-04-06 Thread Tony Finch
David Alexandre M. de Carvalho wrote: > So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6). > Unfortunately no automatic sigining before Bind 9.9, from what I read. BIND 9.8 has automatic signing, but not inline signing. However nsdiff is almost as good as inline signing, and I wro

Re: Can we provide recursion for forward zones in response to iterative queries?

2020-04-06 Thread Mark Andrews
As 10.in-addr.arpa is private namespace *all* of you recursive servers should be configured to serve it. This is similar to how all of your recursive nameservers know where the root servers are except you are using a slave zone instead of a hint zone. i.e. 10.in-addr.arpa { type slave