I think I have solved the mistery: Bind (or openssl, who ever does the
validation) requires Subject Alternative Name. Regardless if using the hostname
or the IP address, they must be in the subject alternative name. When using
self-signed certificates, it is probably best to put both in the SAN.
I think I have solved the mistery: Bind (or openssl, who ever does the
validation) requires Subject Alternative Name. Regardless if using the
hostname or the IP address, they must be in the subject alternative
name. When using self-signed certificates, it is probably best to put
both in the SAN
I see this note and some examples on this page that include the DNS: option:
http://wiki.cacert.org/FAQ/subjectAltName
FAQ/subjectAltName (SAN)
What is subjectAltName ?
subjectAltName specifies additional subject identities, but for host names (and
everything else defined for subjectAltName) :
> -Original Message-
> From: Petr Špaček
> Sent: Tuesday, March 4, 2025 6:11 PM
> To: Robert Wagner ; Klaus Darilion
>
> Cc: bind-us...@isc.org
> Subject: Re: XoT Testing: TLS peer certificate verification failed
>
> > I think I have solved the mistery: Bind (or openssl, who ever does th
On 04. 03. 25 9:53, Laszlo Szollosi wrote:
Many thanks for your response.
By mitigation, I mean we have seen an increase in resource utilization,
but it would have been much worse without the 'minimal-responses'
setting (reduced impact).
By prevention, I mean we would not have had the impact a
Returning REFUSED to ANY is anti-pmsocial as it requires every resolver in the world to special case this There are better mechanisms to deal with it like returning TC=1 or BADCOOKIE if there is only a client cookie or returning one of the RRsets at the name. -- Mark AndrewsOn 4 Mar 2025, at 18:21
Hi Petr,
Many thanks for your response.
By mitigation, I mean we have seen an increase in resource utilization, but
it would have been much worse without the 'minimal-responses' setting
(reduced impact).
By prevention, I mean we would not have had the impact at all.
By a spike, I mean the CPU util
Hi Petr,
Thank you for the quick response.
Yes, I said it before, the utilization stayed high. :)
I checked it now and I can see increased network traffic, memory and disk
utilization for the same time period.
Kind Regards,
Laszlo
On Tue, 4 Mar 2025 at 09:14, Petr Špaček wrote:
> On 04. 03. 25
Sounds like this: https://gitlab.isc.org/isc-projects/bind9/-/issues/3896--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 4. 3. 2025, at 10:01, Klaus Darilion via bind-users wrote:
May it be, that the validation is just broken? Even when using dig, and
explicitely use the hostname of the Primary (which uses its hostname in its
certificate) in @... and tls-hostname, the verification fails due to hostname
mismatch:
# dig @xot-test-primary.ops.nic.at test.klaus +tls axfr +tl
In my case it should not be SNI relevant, as the server only has 1 certificate
to present. Anyways, I will now test with a certificate that uses the IP
address in the Subject CN.
Regards
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
F
11 matches
Mail list logo
