On 2/6/2012 1:35 PM, Gaurav kansal wrote:
> Can anyone please tell me why TYPE50 RR is showing in response
> coming from .in domain
Because your version of DIG does not understand NSEC3 records.
http://tools.ietf.org/html/rfc5155
AlanC
--
a...@clegg.com | 1.919.355.8851
signature.as
On 2/14/2012 1:42 PM, Chuck Swiger wrote:
> ISC's BIND has (or had) a MINTTL value of 5 minutes / 300 seconds.
> It's probably unreasonable to expect other platforms to refetch DNS
> records faster than that.
Uh... no. BIND has always respected TTL when caching information.
AlanC
--
a...@clegg
While not _exactly_ what was asked for, "rndc addzone" and "rndc
delzone" seem to be able to do what you want...
Just an idea..
AlanC
--
a...@clegg.com | 1.919.355.8851
signature.asc
Description: OpenPGP digital signature
___
Please visit https://li
On 3/9/2012 2:24 PM, M. Meadows wrote:
> Thanks to both of you for your feedback.
> I see the rrset ordering explanation in the arm.
> Good information.
Don't base anything on RRset ordering.
Be sure that the application is able to handle the "random" order -- you
never know who owns the interme
On 3/13/2012 9:49 AM, King, Harold Clyde (Hal) wrote:
> Here's an example of my zone record:
>
> $ORIGIN .
> $TTL 1800 ; 30 minutes
> Wordpress.example.com. IN SOA hiddenmaster.example.com.
> ipmgr.example.com. (
> 2012020601 ; serial
>
On 3/13/2012 1:35 PM, King, Harold Clyde (Hal) wrote:
> I tried adding the NS records but it looked like the entire example.com
> was now subject to the NS of wordpress.com. I just want the sub domain to
> get it's DNS from the wordpress.com NS servers. Not to give away my whole
> example.com doma
On 4/16/2012 9:40 AM, Matthew Huff wrote:
> Actually, this can be done.
>
> Create a zone file for "www.google.com", not "google.com". The zone file
> should like this (replace THIS_HOSTNAME with the name of your nameserver:
>
>
> @ IN SOA localhost root@localhost. (
>
On 4/25/2012 10:28 AM, Matus UHLAR - fantomas wrote:
>> In message
>>
>> , Nicolas Michel writes:
>>> I only get no answer but a return code of NOERROR.
> On 25.04.12 23:53, Mark Andrews wrote:
>> The root cause is that the name servers for www.ryanair.com are
>> misconfigured. They are returni
On 4/30/2012 7:14 PM, Augie Schwer wrote:
> I think you've all missed the netmask there, 10.0.0.2 is in that range.
>
> augie@augnix:~$ sudo ifconfig lo:1 10.0.0.1 netmask 255.255.255.224
Netmask says what addresses are REACHABLE on that interface, not the
addresses assigned to that interface.
A
On Oct 16, 2012, at 3:11 PM, Noel Butler wrote:
> Alan Clegg wrote a quick howto DNSSEC in 6 minutes, you might want to google
> it, since ISC has destroyed their "new" website, I no longer see it in quick
> look to show you a link, apparently, it might be buried somewhe
On Oct 16, 2012, at 3:11 PM, Noel Butler wrote:
> Alan Clegg wrote a quick howto DNSSEC in 6 minutes, you might want to google
> it, since ISC has destroyed their "new" website, I no longer see it in quick
> look to show you a link, apparently, it might be buried somewhe
e .org
zone.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind
On Oct 16, 2012, at 8:17 PM, pangj wrote:
> 于 2012-10-17 11:10, Alan Clegg 写道:
>> No, it means that I haven't inserted the DS record for dnslab.org into the
>> .org zone.
>
> for DS record's data, is it the public key of ZSK? thanks.
No, it's a hash of the
4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
This problem has been solved. I inserted the DS record last night. :)
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
smime.p7s
Description: S/MIME cryptographic signature
___
his message was added by general recognition that being able to rebuild a
"drop-in" binary for BIND when you didn't have access to the build directory
(where the config.log contains the information) was a good thing.
I, for one, see no reason to suppress this message (but I do have
lover) that you must be
extremely careful with.
> A question: is implementing dnssec a good enough reason to abandon split
> horizon DNS?
I'd find any excuse to abandon views/split-horizon.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
se externally, or that their printer really
_should_ be named myprinter.example.com and not myprinter.internal.example.com.
All the best,
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind
On Nov 1, 2012, at 7:34 AM, Tony Finch wrote:
> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
> instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851
On Nov 1, 2012, at 7:34 AM, Tony Finch wrote:
> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
> instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851
On Nov 1, 2012, at 7:34 AM, Tony Finch wrote:
> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
> instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851
On Nov 1, 2012, at 7:34 AM, Tony Finch wrote:
> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
> instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851
On Nov 1, 2012, at 7:34 AM, Tony Finch wrote:
> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
> instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851
On Nov 1, 2012, at 7:45 AM, Alan Clegg wrote:
>
> On Nov 1, 2012, at 7:34 AM, Tony Finch wrote:
>
>> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
>> instead of dnssec-signzone.
>
> I do as well, and this will be documented in
on your
nameserver) than playing with query logging.
Additionally, it logs both the query and response...
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from t
On Nov 10, 2012, at 1:39 PM, Ed LaFrance wrote:
> Running BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5
Before everyone else says it... upgrade.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGM
midst of this that might be messing around with TCP
connections?
If you do a "rndc recursing", what do you get?
If you are only doing 20-30 transactions per second, the stats on the UDP
counts would have taken a long time to get there... something doesn't add up.
Alan
; in your
options stanza so that it is not started when named starts (I'm not sure what
version introduced the querylog option, so you may need to test this.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://
ething is doing it.
Send us your logging stanza...
(And yes, I'm absolutely sure that logging queries to syslog is handled by
named.conf)
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/lis
use the KSK as
a(mother) ZSK.
Don't do that. Also, unless you are planning on deleting the DNSKEY resource
records, get rid of the "secure-to-insecure" as well.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit
On Dec 22, 2012, at 9:56 AM, Alan Clegg wrote:
>
> By setting dnssec-dnskey-kskonly, you are telling it to use the KSK as
> a(mother) ZSK.
Stupid autocorrect. a(nother) not anything about anyone's mother.
AlanC
--
Alan Clegg | +1-919-355-8851 |
On Dec 22, 2012, at 10:03 AM, Kyle Brantley wrote:
> On 12/21/2012 3:56 PM, Alan Clegg wrote:
>> On Dec 22, 2012, at 9:52 AM, Kyle Brantley wrote:
>>
>>> # named.conf
>>> options {
>>>[...]
>>>dnssec-enable yes;
>>>
signs the DNSKEY RRset, but it should
> still use the ZSK (and not the KSK) for all the other data in the zone.
Eh, yep. Thanks for that catch, Evan.
I think we may have found the problem "off-list" and it may be another thing
for the signer to look into... more in a bi
ile this points to the 9.9 ARM, but the statistics channel has existed since
9.5.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mail
ve me no errors and rndc reload worked fine but the zone
> wouldn’t update.
Can you send us the ZONE entry from the named.conf that relates to this zone?
Thanks,
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with Ope
cursion is allowed on 127.0.0.1 (and your non-loopback IPv4 addresses),
you may want to permit it over IPv6 as well.
Might save some debugging time when you enable externally visible IPv6.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please
On Feb 20, 2013, at 1:30 PM, Jsilliman wrote:
> The serial number gets updated in the logs, but not when I do a dig.
Do you have more than one copy of BIND running?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit ht
And as was stated before, "cat /etc/resolv.conf" and let's see where your dig
is actually going...
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
N
Actually, it does. It's telling you not to edit it by hand.
Can you please provide us with the full output of the "dig" that you are saying
does not provide the correct information?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
ULL, un-edited, non-condensed output that shows the
missing A record?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@l
as worked for someone
> trying to do a similar setup?
Don't include the www record in the "base" file, just in the included ones.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mai
llowing page earlier today (in a completely unrelated
conversation), and think that reading over it might help the original poster to
figure out what is going on:
http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
_
nts (publication/activation/inactivation/deletion)
signature nearing-expiration
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-us
this reason, and that copy of the zone lags by 0->refresh.
> It's not a huge problem for me, so if you can tolerate it, "notify explicit"
> might help.
Another option you may be interested in is "notify-delay" - if you don't really
need the notifies sent im
this "hassle".
I personally don't think that extending the signature validity period is a good
idea.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Pleas
to find any online training that comes close to what we provide in
person.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
b
ult in
SERVFAIL.
I'm going with "misconfigured resolver" for 1000.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/l
On Aug 2, 2013, at 9:19 PM, Alan Clegg wrote:
>
> On Aug 2, 2013, at 11:35 AM, David Newman wrote:
>
>> That looks OK, but the forwarder might still be broken (i.e., it might
>> strip replies).
>
> If this were the case and the resolver is correctly configured wit
ncontrol.com.
zygo.com. 3158IN RRSIG NS 7 2 3600 20130812183056
20130728183056 19712 zygo.com.
YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01
7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3
qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhW
he actual error messages? It sounds like there may have been
two BIND instances running, but it's definitely not clear by the problem report.
Thanks,
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP
On Aug 17, 2013, at 5:12 AM, LuKreme wrote:
> On Aug 16, 2013, at 23:28, Noel Butler wrote:
>> I'm still trying to work out what the hell bind99 is
> <:).png>
> Sorry, that is how ports refers to bind 9.9
Thanks for that, but any word on the actual error messages?
look for the code
that is enabled with the compile time option "--with-fixed-rrset" to see how
fixed responses are provided), you still have to make the default in every
recursive nameserver to NOT randomize the response.
ie, it ain't gonna work like you want it to on the Internet
www.zytrax.com/books/dns/
> and any changes in how root servers are setup since I am pretty sure that has
> changed since I first setup bind 9.1 many eons ago (2002?).
If you are Internet visible, you don't do anything with configuring anything
about the roots, as it "
put in place so we can do dnssec validation in the
> meantime while we work on ceasing to use the private tld?
Sign your private TLD and insert an explicit trust anchor for it on each of
your recursive servers.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description
the roots, as it "just works" (compiled into bind since 9.3ish).
>
> I distinctly remember having to go get the root file myself under either 9.0
> or 9.1 and sometime since then there was a kerfuffle as one of the root
> servers changed and, I could be wrong, I h
ata center.
Here's what I did recently to do just this:
https://plus.google.com/107634973406628501676/posts/6ZVyDrTw3np
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
__
On Aug 20, 2013, at 11:31 PM, LuKreme wrote:
> On 20 Aug 2013, at 20:42 , Alan Clegg wrote:
>> If it's down that long and very often, you may want to consider putting your
>> DNS on a reliable server/circuit/data center.
>
> Well, often is somewhat more than... 5?
^
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing lis
On Aug 21, 2013, at 2:49 PM, Manish Rane wrote:
> Yeah even I am aware of infoblox. I am looking for open source.
Debian ISO install followed by "apt-get install bind9"?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with
On Aug 21, 2013, at 9:28 AM, Alan Clegg wrote:
>
> On Aug 21, 2013, at 9:21 AM, Eric Davis wrote:
>
>> Anyone have any experience uploading DS records to Godaddy? They are asking
>> for the Digest in addition to the public key and I’m a little lost. What is
>&g
r message "named :unrecognized")
Installing from source does not include "startup" scripts. Try "named -g" to
get output to the current TTY, and once it is working, "named".
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
ation: file not found
> "
> how can I solve this ?
I'd start by creating the file that it says is missing. Or deleting the config
file and starting off from what I'm comfortable/familiar with.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.
o an install from source.
This is done on purpose, as correct configuration is more complex than "here's
something that might work".
Nothing is "wrong" with BIND.
And you are welcome. 8-)
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Desc
S and BIND by Cricket Liu -
http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.or
le to use the option "bindkeys-file" to set a location that is
writable for this file.
It's also going to happen if you use managed-keys, as there is a "keystone"
created that needs to be updated. See the "managed-keys-directory" option.
AlanC
--
Alan C
On Aug 28, 2013, at 1:29 PM, Alan Clegg wrote:
>
> I believe that what you are seeing is the result of BIND 9.9 doing more
> things "automatically", including bringing in a set of DNSSEC trust anchors
> (root and DLV) and not being able to create the file.
>
> Y
, please feel free to
post it to the list.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
fr
On Sep 13, 2013, at 9:03 AM, Evan Hunt wrote:
> My real recommendation is, if you need an offline KSK, don't use inline
> signing. (You can still use
> auto-dnssec.)
Or use an HSM (hard or soft)...
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Descri
nt brought to you by those that care about the
Internet.
(but thanks from upgrading to a relatively new version of BIND)
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
e zones, move the keying material and then convert the new system
form slave to master while taking the existing master off-line.
What am I missing?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
On Oct 1, 2013, at 9:04 PM, Sten Carlsen wrote:
>
> On 02/10/13 02.47, Alan Clegg wrote:
>> On Oct 1, 2013, at 8:27 PM, David Newman
>> wrote:
>>
>>
>>> On 10/1/13 2:16 PM, David Newman wrote:
>>>
>>>> Is there a recommended ord
abcd.com.sg mx
; <<>> DiG 9.9.4 <<>> @.com abcd.com.sg mx
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
SNIP
You haven't given us enough information to provide any reasonable answers.
AlanC
--
Alan Clegg | +1-91
On Oct 8, 2013, at 5:39 PM, Steven Carr wrote:
> +trace ALWAYS goes to the root servers. It will bypass your DNS server
> completely.
Except for using your servers to find the root servers to begin with.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Descr
On Oct 8, 2013, at 6:31 PM, Steven Carr wrote:
> On 8 October 2013 23:27, Alan Clegg wrote:
>> Except for using your servers to find the root servers to begin with.
>
> I stand corrected, I thought it might have done something clever for
> the first hop and had the root
> 20131029191450 20130929181450 56989 networktest.com.
You don't provide all of the record. It's an RRSIG that is still within it's
lifetime.
Do a dig for "DNSKEY" retype at the zone name and see what you get back.
AlanC
--
Alan Clegg | +1-91
On Oct 8, 2013, at 6:51 PM, Alan Clegg wrote:
> On Oct 8, 2013, at 6:42 PM, David Newman wrote:
>>
>> Problem is, dig says the key is still active, and will be until 29
>> October 2013:
>>
>> $ dig networktest.com @lo
" entry in your
named.conf that relates to the zone in question?
I would strongly recommend forgetting all about "freeze the zone and edit" as a
method of updating... move completely to dynamic zones if at all possible.
AlanC
--
Alan Cleg
On Oct 12, 2013, at 7:59 PM, Alan Clegg wrote:
>
> On Oct 11, 2013, at 10:54 PM, David Newman wrote:
>
>> 4. "Check that the new server is working and you can update
>> the zone by using nsupdate."
>>
>> This is where things fall apart. I run &#x
.565 received control channel command 'reload example.com'
14-Oct-2013 17:39:26.571 zone example.com/IN (unsigned): loaded serial 2
14-Oct-2013 17:39:26.571 zone example.com/IN (signed): serial 4 (unsigned 2)
And for those of you that have taken the DNS and BIND class, yes, I'm real
On Oct 14, 2013, at 7:43 PM, Alan Clegg wrote:
> == Commands typed ==
> root@server00:/etc/namedb# ls
> bind.keys keys master named.conf rndc.key
> root@server00:/etc/namedb# cd master
> root@server00:/etc/namedb/master# ls
> example.com example.com.jbk
ement the signed version
(otherwise your slaves will never update), when you reload the zone (as the SOA
is resigned). [wow, that's a horrible paragraph, but I think it makes sense]
Also note that the inline-signed zone (in memory and dumped out to zone.signed
file) will continue to inc
eed up DNS queries? Because it seems that Windows clients
> use TCP instead of UDP when looking at netstat on the server.
Fix your windows clients.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
_
On Oct 21, 2013, at 9:47 AM, wbr...@e1b.org wrote:
>> From: Alan Clegg
>
>> Fix your windows clients.
>
> You can't fix stupid.
I have lots of windows clients and they don't exhibit this "feature". There's
something wrong on the windows client
m Windows PC's on tcp port 53 on the DNS
> cache server.
You've cured the symptoms, not the illness.
You really, REALLY need to figure out why your clients are doing TCP. You'll
see a world of difference when you solve this part of the puzzle.
AlanC
--
Alan Clegg | +1-919-355
entry that points the PC's else where rather than
> forwarding them or caching them?
Slave X.internal.example.com
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
_
lpful.
Can you tell us _what_ .gov site? Do you see the same problem with 9.9.4?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/ma
ailable)
What about more "normal" bind logging? Anything useful in there?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman
yet) any
logging generated when you do the dig would be much more helpful.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/ma
, Redhat!), I’d
be leery of answering this question as an “outsider”. Certainly not with an
authoritative answer.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
unavailable it should change A
> record in zone file to indicate to site2.tld. If site1.tld is available again
> then A record should indicate to it.
> Script should change SOA serial number.
>
> Please help with writing a script.
make the zone dynamic, read man page on nsupdate
acting” them from MySQL using a “dig axfr” and then
importing the normalized text version.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.or
you change from NSEC to NSEC3, etc.
All of these will keep the signed serial number ‘bumping up’ even when your
zone isn’t changing.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
search zonename” what
are your results?
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
the ‘next generation’ of
maintainers).
I’m actually more a proponent of creating an architecture that doesn’t NEED
differentiated data, but there aren’t a lot of places implementing DNS / naming
structures on green-fields these days.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
the cache on all of our servers, I’ve
> restarted the service on all of our servers. I’ve not restarted the actual
> servers, but I don’t think that would get us anywhere.
Did you accidentally move from RPZ 2 (via patches) to RPZ 1 (included in BIND)?
I shot myself in the foot with th
, it seems that they have an A record for that label that provides the IP
address 127.0.0.1.
You probably want to ask the owner of the zone about this, as I’m not sure what
the community can do about it.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Mess
I'm sure the Google servers
are instrumented as data collection devices and are providing data back to
someone regarding what DNS is actually doing and being used for.
Why else would they do it? 8-)
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature
d it even does really cool things like normalize the format of the data into
single lines that are really cake to parse unless you use "+multi" and then you
get exactly the same format that you had in the text files]
AlanC
--
Alan Cle
t where your new system
expects it then start the new one. A brief outage of your master should be no
issue is your slaves are working correctly.
Do make sure that the new version is built with the same options as the old one
if you are replicating the file system locations of the data. 8-)
u could put the definition of the ACL into a file that you INCLUDE into the
config file and then, when you modify it, do a "rndc reconfig" which should not
impact your service too much.
AlanC
--
Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed w
On 2/14/14, 10:43 PM, Sergio Ramirez wrote:
> Hi,
>
> We want to sign zones with bind using an HSM Luna PCI Safenet card.
>
> The command 'dnssec- keyfromlabel' fails:
>
> # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l
> KSK1-testdnssec -f KSK testdnssec.
> dnssec-keyfrom
1 - 100 of 425 matches
Mail list logo
