Fully automated DNSSEC with BIND 9.16

Hello, hope everyone is fine. So it seems that going to Bind version 9.16 was the right call as it simplifies DNSSEC a lot. Nevertheless, I would like to clarify some things because our organization has a parent domain and I host my own e-mail servers. I know they had problems while implementing

Re: Fully automated DNSSEC with BIND 9.16

Hello David, On 4/11/23 12:02, David Carvalho via bind-users wrote: Hello, hope everyone is fine. So it seems that going to Bind version 9.16 was the right call as it simplifies DNSSEC a lot. Nevertheless, I would like to clarify some things because our organization has a parent domain and

RE: Fully automated DNSSEC with BIND 9.16

Hello and thank you so much for your help. Regarding question 1, My version is 9.16-9.1623-0.9.el8...so I got the bug. No update available from Oracle Linux yet, so I'll create a folder and maintain a copy of those files there. In which situation should I be required to resend my key to the top

Re: Fully automated DNSSEC with BIND 9.16

On 4/11/23 13:14, David Carvalho wrote: Hello and thank you so much for your help. Regarding question 1, My version is 9.16-9.1623-0.9.el8...so I got the bug. No update available from Oracle Linux yet, so I'll create a folder and maintain a copy of those files there. In which situation should I

RE: Fully automated DNSSEC with BIND 9.16

Thank you so much! Regards David -Original Message- From: bind-users On Behalf Of Matthijs Mekking Sent: 11 April 2023 13:03 To: bind-users@lists.isc.org Subject: Re: Fully automated DNSSEC with BIND 9.16 On 4/11/23 13:14, David Carvalho wrote: > Hello and thank you so much for your

Does DNSSEC increased packet size reach end computers?

I was in the process of setting up a test server with DNSSEC signed domains, and asking users to point at the test server to see if the larger packets affected their application, when I realized I might be wrong. DNS Resolvers will get bigger responses from DNS Authoritative servers because of DNSS

Re: Does DNSSEC increased packet size reach end computers?

You are correct. Normal stub resolvers on desktop clients or mobile devices only see the AD flag (or SERVFAIL when validation fails). They will only get all the additional DNSSEC record types if they used the +dnssec option in dig (which sets the DO bit in the outbound query). On Tue, Apr 11, 2023

Re: Does DNSSEC increased packet size reach end computers?

There are some applications that will do DNSSEC. You should assume that any application may ask for DNSSEC records and that is normal. DNSSEC was designed from the very beginning to be validated in the application and only works fully when that is done. The recursive server still needs to val

BIND operating in Parental Agent role (according to RFC 7344)?

Hi list. I'm currently running a few DNSSEC zones in BIND using dnssec-policy option, albeit with an unlimited lifetime on the KSK, so that I can control KSK roll-overs (which is necessary because my Registrar doesn't support RFC 7344)... Anyway I know that BIND supports RFC 7344 via parenta