Hello,
in the near future I will have to change NS records for one of my
domains, as DNS servers currently use an old domain (not mine), that
will be phased out. DNS servers will actually remain the same, only the
domain name will change.
So, basically:
* mydomain currently uses dns1.oldd
Hello,
I think
chmod ug+x /etc/bind/zonas/
should solve the issue by giving the
owner (bind) and the group (bind) permissions to enter the
directory.
Danilo
On 28.6.2
Hello,
I recently stumbled upon a problem trying to update my root hints file
from *ftp.rs.internic.net*. For some reason, one of my DNS servers
running on Alpine Linux, can't resolve this name properly and always fails:
# ping ftp.rs.internic.net
ping: ftp.rs.internic.net: Try again
nslookup s
Don't know if that helps, but if I query my local Bind DNS for a CNAME,
that doesn't exists, dig gives me the SOA record:
> dig cname nonexisting.example.com @mydns
; <<>> DiG 9.16.6 <<>> cname nonexisting.example.com @mydns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,
Hello,
I'm noticing some unusual activity where 48 external IPs generated over
2M queries that have all been denied (just today):
15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied
15-Dec-2021 00:01:42.023 securi
Hello,
I have an authoritative DNS server for a domain, but I was also going to
use the same server as a recursive DNS for my internal network, limiting
recursion by the IP. Apparently, this is a bad idea that can lead to
cache poisoning...
After watching a Computerphile Youtube video
(htt
On 29. 12. 21 19:24, tale wrote:
On Wed, Dec 29, 2021 at 5:31 AM Danilo Godec via bind-users
wrote:
I have an authoritative DNS server for a domain, but I was also going to
use the same server as a recursive DNS for my internal network, limiting
recursion by the IP. Apparently, this is a bad
Hello,
today I implemented DNSSEC for a domain - by that I mean that the DS
records have been published / added to TLD DNS today, while the zone has
been signed a couple of days ago.
So a couple of hours later I went to https://dnsviz.net to see if
everything seems OK and it reports one er
Hello,
I implemented DNSSEC for my personal domain a good while ago with an
older Bind and back then, I used RSASHA1-NSEC3-SHA1 algorithm, which by
now is not recommended... So I'm going to change the algorithm, probably
to ECDSAP256SHA256, which should also be NSEC3 capable.
Since my domai
On 6.4.2022 8:52, Daniel Stirnimann wrote:
Hello Danilo,
A simple schema to change DNSSEC algorithms is as follows:
1. Add new KSK/ZSK and double sign DNSKEY and all zone RRs
with both the new and old algorithm
2. Replace DS at parent
3. Remove old DNSKEY and all RRSIGs from the old algorit
.
Regards,
Petr
1. https://bind9.readthedocs.io/en/v9_16_27/dnssec-guide.html
2.
https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch04.html#dnssec.dynamic.zones
On 4/5/22 09:07, Danilo Godec via
bind-users wrote:
Hi all,
yesterday I filled my day fiddling with DNSSEC for a couple of my test
domains - both have been signed 'manually' before, but I haven't
published the DS record.
So yesterday I setup both for dnssec-policy, while also changing the
signing algorithm and keys (basically started from sc
t help?
Cheers, Greg
On Wed, 2 Oct 2024 at 10:58, Danilo Godec via bind-users
wrote:
Hi all,
yesterday I filled my day fiddling with DNSSEC for a couple of my
test domains - both have been signed 'manually' before, but I
haven't published the DS record.
So ye
Hi,
I've been doing some more reading into DNSSEC and if I understand
correctly, it is allowed to have multiple DS records for one KSK - with
different digest types. Apparently, SHA-1 is deprecated and shouldn't be
used anymore, while SHA-256 is mandatory and has to exist.
That leaves SHA-3
aphy.
RW
*From:* bind-users on behalf of
Danilo Godec via bind-users
*Sent:* Wednesday, October 16, 2024 8:00 AM
*To:* bind-users@lists.isc.org
*Subject:* DS digest type(s)
This email originated from outside of TESLA
Do not click li
Thanks,
now that I know what to look for, I found the docs for it.
Maybe worth mentioning that /cds-digest-types/ is not available in
9.18.x, as it has been introduced in 9.19.11.
Danilo
On 16. 10. 24 23:24, Mark Andrews wrote:
On 16 Oct 2024, at 23:00, Danilo Godec via bind
DS
may stay in the "Rumoured" state indefinitely, and this can influence
future key rollovers.
3.
You can use the options 'cds-digest-types' and 'cdnskey' to set what
RRsets need to be published.
Hope this helps, best regards,
Matthijs
On 10/2/24 12:42, Danil
te:
Hi,
The change from rumoured to omnipresent is TTL dependent. To be
precise: it is the sum of the configured parent-ds-ttl,
parent-propagation-delay, and retire-safety.
- Matthijs
On 10/2/24 14:55, Danilo Godec via bind-users wrote:
Hi Matthijs,
thanks, that explains a bunch.
I chec
If nothing else works, you can always 'include' a file that contains
configuration stanzas of those zones and then use a script to add new
zone stanzas to the file.
# Include config file with thousands of domains
include "/etc/named.d/1000s_domains.conf";
The script could either recreate the
Hello,
I recently noticed that emails from somewhat trustworthy organization
don't have a valid DKIM signature - or rather, my email client can't
verify them, because there is a timeout resolving the domainkey record.
Testing this with 'dig' confirms the problem:
dig txt eulisa._domainkey
Hello,
I'm running bind 9.18.28 on OpenSuSE Leap 15.6. I also run 'certbot'
with some home-brewed scripts for DNS validation.
Something happened between January 6th and yesterday that caused
'certbot' renewals to fail with OpenSSL errors:
tls.c:90:tls_initialize(): fatal error:
RUNTIME_CH
Hello,
I was testing / debugging some sub-zone delegation for a friend's domain
(something about email marketing service that want's their clients to
delegate a subzone to their NSs) and couldn't quite see the issue -
apart from my local resolver reporting 'SERVFAIL':
; <<>> DiG 9.18.33 <<>
Hello,
apparently one shouldn't use CNAMEs for 'delegating' _domainkey records
to another DNS server, but I see that some email service vendors use
that - they have their customers add a CNAME pointing to their TXT
record (one recent example that I was dealing with is atlassian.net
(https://
On 10.05.2025 05:29, bi...@clearviz.biz
wrote:
>Also check /etc/resolv.conf and see what address(es) is/are
listed as nameservers.
The resolv.conf file
contains:
nameserver
127.0.0.53
search
mydom
On 18.05.2025 19:53, bi...@clearviz.biz
wrote:
I include it because all of the packets
seem to have the same problem (the router attempts a ping to my
main server (ending in octet ".10"), which it claims the host is
unreachable. Not sure why tha
25 matches
Mail list logo
