ad of updating BIND, you can pull it from the source tree:
https://gitlab.isc.org/isc-projects/bind9/-/blob/main/bind.keys.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the d
site before turning on DNSSEC validation,
and we no longer consider that to be worthwhile advice. Just keep your
packages up to date and you'll be fine.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
ich usually ignore the authority section.
no-auth-recursive is meant for use in mixed-mode servers that
handle both authoritative and recursive queries.
So when recursion is requested in the query, the server omits the NS
records from the authority section, and if there's no NS records
g a query, but unless your server gets an overwhelming amount
of traffic you won't notice it.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with
;t
succeed until the original name is resolved. The two lookups will wait on
each other for ten seconds, and then the whole query times out and issues
that log message.
The log message is new in 9.18, but the 10-second delay and SERVFAIL
response would probably have happened in earlier relea
; more preferable way to accomplish what I want, either with 9.18
> itself or otherwise.
It should, the raw file format hasn't changed. (There used to be a
format called "map" that was incompatible between versions, but
you're not using that, and it's been removed from
in a feature request at https://gitlab.isc.org/isc-projects/bind9,
and if you submit a patch we'll look at it, but I don't think this is
the right way to do this. Why are you remapping to a blackholed
address, instead of returning NXDOMAIN?
--
Evan Hunt -- e...@isc.org
Internet System
ative
configuration working fine (otherwise presumably dnssec-analyzer would've
complained), but recursive isn't working.
Unfortunately, since you haven't provided any configuration info or even
the name of the domain you were trying to set up, I can't make any more
educated guesses
em, then can show me the
relevant lines from your log file so I can see what you're referring to
by "key regeneration"?
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
I
int delv to a
resolver that implements EDNS correctly. It will validate the data it
receives, but it has to receive some.
The newest version of delv, in the BIND 9.19 development release, has
a 'delv +ns' option to do its own resolution internally, without needing
an external server to
On Thu, Jun 08, 2023 at 07:57:12PM +, Evan Hunt wrote:
> So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option.
> This needs to be reported as a bug to the systemd maintainers. And, maybe
> delv should have a +nocookie option.
Hmm, on further inspection, I w
ervers, into clusters
for the benefit of servers that only have intermittent connectivity
to the internet. This is no longer a common enough scenario to justify
the added code complexity.
They will be deprecated as of BIND 9.20 and removed in BIND 9.22.
--
Evan Hunt -- e...@isc.org
Interne
s loaded.
In your example, zone cf1 was in view1, so it sent its summary information
to view1. It doesn't know that it's also in view2.
I've been thinking for a while about the best way to address this, and
there might be some news coming in the not-too-distant future, but I don'
hey are not thought to be useful in a production environment,
and we know of no operators using them. (Please let us know if this is
incorrect!)
Our plan is to mark these options as deprecated in BIND 9.16 and 9.18,
and to remove them as of BIND 9.20.
--
Evan Hunt -- e...@isc.org
Internet Systems C
atch before
it was merged.
You do raise a good point - there may be reasons for different sites to
want to teak these settings. Iif so, though, they we should probably
add the tuning to named judiciously, after a proper research and
data-gathering process, instead just accidentally leaving it there.
On Thu, Feb 29, 2024 at 10:34:42AM +0100, Borja Marcos wrote:
> But bear in mind that this is only guaranteed to work inside your
> network/ASN. It’s not unusual to scrub DSCP at the network border.
Same problem would also apply to DSCP values set internally by named,
of course.
--
Eva
learned.
It *is* on by default, if it can find libxml2. Does yours live in
a nonstandard location?
Perhaps, if libxml2 and libjson-c are both unavailable, we should
disable statistics-channels in the configuration - at least that way
the problem would've been easier to figure out.
--
Ev
work. However, I believe the Ops department is planning to switch over to
BIND 9.9 fairly soon, in order to take advantage of the new inline-signing
feature (which in fact was largely developed at their behest).
https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.
ND has this: "dnssec-accept-expired yes;" Note that it opens you
to replay attacks, but misconfigured zones are more common than replay
attacks, for now anyway.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please v
ddress space, you can go ahead and do so; zones that you configure
override the built-in zones.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
n spare all our domains from being misused by
> such shit just by signing them?
Not entirely, but it'll help, yes.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
.nil.+007+04053
$ rndc loadkeys example.nil
$ sbin/rndc signing -list example.nil
Done signing with key 4053/NSEC3RSASHA1
Done signing with key 28952/NSEC3RSASHA1
$ dig @localhost +short nsec3param example.nil
1 0 10 BEEF
--
Evan Hunt -- each@isc.orggg
Internet Systema Consorti
s during a key roll.
However, whenever you do wish to change them, you can do so with
'rndc signing -nsec3param', and the chain will be updated automatically.
(Also, if you want to switch to NSEC instead of NSEC3, you can use
'rndc signing -nsec3param none'.)
--
Evan Hunt -- e
ps the SOA serial number is no
longer needed for NSEC3PARAM updates.
As for DS records, those are updated like any other data in the zone
(i.e., use 'nsupdate' for dynamic DNS, or update your zone file and
run 'rndc reload' for inline-
ord. (You could insert this record into the unsigned
zone if you wanted to, and it would work, but using rndc is a lot
easier.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bin
#x27;ll switch to using -3 as the default in some future release.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-us
SEC3" in the human-readable algorithm name is
rather misleading (it certainly confused me at first).
Later algorithms such as RSASHA256 also support NSEC3, but they don't
say so in their names, which I think leads to less confusion around this
point.
soon to update the default algorithm
in dnssec-keygen. Maybe in 9.10.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
r this is "drill", which is part
of Unbound (https://unbound.net).
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
eally big config file
due to a large number of zones, that can save a noticeable amount
of downtime.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from thi
iting
for the person with the signing key to get me a new set of signatures.)
Sorry about that, and thanks for the heads up.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users t
lf.
There were new configuration options added, but as far as I can
recall, none of them were removed or changed in particularly
dramatic ways.
The 9.8.0 release notes covered all the feature changes between
9.7 and 9.8; you might want to review them:
http://ftp.isc.org/isc/bind9/9.8.0/RELEA
-9.8.2.tar.gz) =
09f0b18bde0438186d6639f08c17db3b98e81c17
MD5 (bind-9.8.2.tar.gz) =
9d92bed18795a35ebe629f715cf41353
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo
rk on all the platforms
we routinely test.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.i
on what the format of this 'raw' format
> actually is?
It's just DNS wire format, not much different from what you'd see if
you ran a sniffer during a zone transfer. You can convert it to text
format to see what's in the file with:
named-che
ge?
It's for inline signing. Raw format 1 has an extended header that includes
the serial number of the zone from which it was generated. This lets us
resynchronoize the unsigned and signed versions of an inline-signing zone,
in the event that, for example, you update the original zone fi
;s just similar. There's no
formal specification for raw format zone files.
No part of BIND is proprietary: it's BSD-licensed, any vendor who
wants to copy our file formats is free to do so.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
as unsupported in the first alpha release of the feature, but
it should work now as long as the SOA serial is updated.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsub
are best sent to bind-sugg...@isc.org.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
th the remaining keys. (Update the SOA serial number in the unsigned
zonefile to something higher than the current serial number in the
signed zone; move .signed and .signed.jnl to some other
location; restart named. A new signed zone should be generate
wrong?
No, that's correct. "rndc loadkeys" is only necessary when you want
to change timing on a key and have named notice the change immediately.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://list
sl if you want to use
crypto; libxml2 if you want XML-based statistics; perl if you want to
run the tests, and some of the tests specifically want Net::DNS. I
can't think of anything else, offhand.
(I'm assuming you mean BIND 9. BIND 10 has a longer list.)
--
Evan Hunt -- e...@isc.org
I
ips as part of Unbound (http://nlnetlabs.nl).
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
tests/cfg_test --named --grammar)
but it doesn't print the default settings.
But, if you've downloaded the source anyway, the defaults for nearly every
option are set in bin/named/config.c -- scroll down to where it says
"default configuration" and read from there.
--
Evan Hun
format, you can specify that in named.conf by setting "masterfile-format
text;" in each of the zones. But, raw zones load from disk twice as
fast as text, so personally, I'd just leave it the way it is.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
r a lot of small ones, but
it's always there.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-user
ilure)
> >>>
> >>>This is bind-9.8.2-0.2.rc1.fc16.x86_64. Is this a known issue? Is this
> >>>indeed a bug or perhaps something otherwise wrong with the server?
> >>>
> >>>How can I troubleshoot this further?
> >>>
> >>>Thanks,
>
ay: "that really isn't a good idea; please don't do that anymore."
If you're in a position to download and build source, the latest release
of 9.8.x is at https://www.isc.org/software/bind/983-p1 and new releases
are announced on this mailing list when they occur.
--
Evan
his along for you. It's a
good idea.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
h
.x releases; we're up to 9.7.6-P1.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
interest of completeness, I will
mention that there's a compile-time option that can be turned on that
makes it possible to alter this behavior: configure --enable-filter-aaaa).
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Pl
n authoritative tool as
> far as zone: Syntax, rules and other error checking goes.
It works for me. What errors are you trying to check for that
named-checkzone -k isn't finding?
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
rom before the journal file was last purged,
then there's not much you can do.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
passing them on to the master), but that doesn't sound like what
you're looking for.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this lis
t want to do it that way, though; DLZ's too slow.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@list
> Is it?possible?to tell each view to listen on certain interfaces? I know
> Listen-on is in general options so i was wondering if views have
> something similar.
No, but you should be able to get the same result with "match-destinations".
--
Evan Hunt -- e...@isc.o
ht now .ORG has NSEC3PARAM set to:
org. 900 IN NSEC3PARAM 1 0 1 D399EAAB
To duplicate that you'd use "rndc signing -nsec3param 1 0 1 D399EAAB ".
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
__
ld forward it for you, your preference.)
And, thank you -- I really appreciate beta testers.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this lis
example.com" and
"dnssec-signzone -x example.com", on 9.9.2 and 9.7.4, and it worked
as expected in all cases.
Were you signing your zone from scratch, or re-signing a zone that
was already signed? If there was a pre-existing ZSK signature,
the signing process might have left
te BIND's DLZs, just as it
> can if zone files are used?
I'm not sure what you mean by "using encryption".
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bi
ach other and the validity of DNS updates
> coming from the DHCP server. Am I on the right track? When I wrote
> 'encryption' this is what I was referring to.
Okay, you're talking about authentication using TSIG keys -- I t
match-destinations { any; };
recursion yes;
allow-recursion { ... };
...
};
Any queries sent to would then be routed into the "monitor"
view, and any queries sent to the public-facing addresses would go to
the "others
ST_R_VERIFYFAILURE));
to this:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ot the fix we used for the maintenance release, but
it'll serve.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
wanted to write code to parse our XML,
they might want to know there'll be a few different schema versions in
the field soon.)
> Is this a tunable parameter?
No.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https:
> Looks like I'll have to update it for 9.10 tho, hope they updated the
> schema number.
Yes, we did.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
s configured, about 90% of
the tests will fail.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.o
than
an apparently successful build that didn't work. You got lucky, I guess.
Glad it's sorted out.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
go insecure.
Running "dnssec-settime -p all " on the ZSK will show you what the
key timers are set to. If the key's Activation date is in the future or
the Inactive date is in the past, that's the problem.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
remove the symlinks after the checkzone/compilezone is finished.
Something like:
origin=$1 zonefile=$2 journal=$3 shift 3
ln -s $zonefile /tmp/db.$$
ln -s $journal /tmp/db.$$.jnl
named-checkzone "$@" -j $origin /tmp/db.$$
ret=$?
rm -f /tmp/db.$$ /tmp/db.$$.jnl
exi
retty good chance that if we changed the comment
from "minimum" to "ncache ttl", it'll turn out someone had a script that
depended on the existing format. I don't mind breaking people's scripts
if there's a compelling reason, but I'm not sure the ben
uming the version field would be enough, but we can change
the URI if needed.
> But am I reading right? If I don't build with --enable-newstats, all my
> monitoring and trending scripts will continue to chug happily along with
> the
a good deal more harm by
deleting files you wanted to keep than by leaving files for you to delete
yourself...)
> 3. If I direct `rndc addzone|delzone' to the same named instance from
>multiple processes (from the same source IP address), is there any
>danger of the .nzf file be
the parent key of
negotiated-key.server. (Note, however, that transfers will also
be allowed for any request signed with tkeyinit, or with any other
key that was negotiated using tkeyinit. I don't know whether there's
a way to make the server accept only one specific negotiated key.)
it in the masters list then you could use different keys for
different purposes when talking to the same server. If it's in a server
statement, then that server always gets the same key.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
__
ld work with SIG(0), but I don't have any code to show you
that generates SIG(0)-signed TKEY requests -- keycreate.c in the test
suite uses TSIG, so I adapted the recipe to that.
(Unless some other DNS implementation provides a tool for this purpose?
If you know of one, please let me kno
ereas DNSSEC already has all the crypto needed to get the job done.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
he authoritative
server(s) for your zones. The resolver will then forward queries for those
names to the authoritative servers, and validate the responses.
(If those weren't enough bread crumbs to show you the way, I can expand
on this.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consorti
nd 5;
> window 5;
> };
> include "/etc/bind/named.conf.local";
> };
I haven't seen this problem before. Can you share the rest of
your configuration with me? You can open a ticket by mailing
bind9-b...@isc.org.
--
Evan Hunt -- e...@isc.or
> Type forward? Really? I didn't expect that to come from someone at ISC.
D'oh, embarrassed now.
> Use 'type stub' instead, with a masters statement rather than a
> forwarders statement.
Chris is correct, both options work, stub is better.
--
Evan Hunt --
se the shorter list is better.)
> ::1/128 ; 2001:0db8:100::4/128;
>
> Is what you do for specific addresses?
You don't need the /128.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/ma
no data to graph yet. Send your server a few
queries and try it again.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users maili
ome error messages
the first time you load the server after upgrading to 9.9 are expected;
thereafter they should go away. (This is in the release notes.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.or
elease -- you'll be able to use it to specify ACLs, e.g.,
"match-clients { geoip country US; };". I expect it to be published
in Q4 of this year.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://li
mean?
The warning is spurious and has been fixed in 9.9.3. It was incorrectly
checking to see whether there were any DNSKEY records in the zone *before*
loading them from the key files. It should have been doing so afterward,
obviously.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium,
master;
also-notify { localhost; };
};
};
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
earch command does not work in environment.
>
> [root@server1 # dig myhost +trace
...but "dig +trace" behaves completely differently, searching for the
name from the root zone down and never touching the local resolver at
all, so this would have queried the root server even if
es like 9.9.4; making it a compile-time option that defaults to off
is our way of tiptoeing around the rule.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
f
to DLZ.)
> Or you can wait until some time in the future when it gets integrated
> into the base BIND.
About which see my previous message.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mail
arly August.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
x27;t need --with-pkcs11 unless you're planning to use a cryptographic
accelerator
or hardware service module, and you'd have had to build a special version of
OpenSSL
for that. Remove it from the configure options and you should be fine.
--
Evan Hunt
t;
> Stephan
Yes it's possible. Use "configure --with-dlz-ldap". There's a
sample configuration at http://bind-dlz.sourceforge.net/ldap_driver.html.
There will also be an improved, dynamically-loadable LDAP DLZ module
included in BI
t it's not an error.
If you report this to bind9-b...@isc.org we'll address it.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
just as it
allows you to use a ZSK as a KSK), but I don't recommend it.
Unless there are resolvers that have managed-key trust anchors configured
for ksu.edu, you shouldn't bother with the revoke bit for your KSK either.
--
Evan Hunt -- e...@isc.org
Inter
and restore the key. Something
like this ought to work:
dnssec-settime -R none -I now -D now
rndc loadkeys ksu.edu
sleep 1
dnssec-settime -I -D
rndc loadkeys ksu.edu
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
__
oblems, please report to bind9-b...@isc.org.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
it would
just cause the signed DNSKEY rrset to be stripped before the inline-
signing zone got to work. I can think of some ways to kluge around this,
but they'd be cumbersome and prone to error. My real recommendation is, if
you need an offline KSK, don't use inline signing. (You can s
t; those DNS servers
A mail server should be talking to a caching resolver, not an
authoritative DNS server; RRL is for authoritaive servers. So the
situation shouldn't ordinarily arise.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
a, PTR queries for 10.100.*.* should be
forwarded while all other queries for 10.* should be answered from
the empty zone. That wasn't working; now it is.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://li
ck as above to have zones transfer from
one view to another within the same server. Put a master in external
and a slave in internal, and have the slave use "key ext-key" in its
masters statement.
BIND 9.10 is going to include the ability to reference the same
zone from more than one view,
1 - 100 of 569 matches
Mail list logo
