x27;s supposed to be rndc sync -clean, not -clear. I thought we'd fixed
that, darn it...
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
b
o user bind?
> Aside from this, is the permissions change made by dnssec-settime a
> feature or a bug?
I consider it a feature, though opinions may vary.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://list
NSEC, DNSKEY,
DHCID, NSEC3, NSEC3PARAM, HIP and DLV. [RT #19330]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
erimental" I mean it: this is *not yet supported*. It
may turn up as a feature in 9.7, though.
> Does the named user also need write access to the zone files to
> accomplish the resigning?
To the zone files, and to the directory they're
I was
using an old bind9 announcement as a format reference and I must have
cut-and-pasted over the correct URLs with the old ones somehow. Apologies
to all.
Thanks for catching it, Chris.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind
test
linking against libbind. [RT #19425]
10. [func] Add suppport for DS, SSHFP, RRSIG, NSEC, DNSKEY,
DHCID, NSEC3, NSEC3PARAM, HIP and DLV. [RT #19330]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium
nd it will not be
kept updated automatically. You'll have to re-sign the zone by hand on
schedule. In 9.6, you can leave it alone and it'll take care of itself.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
operation support. [RT #19031]
2503. [port] linux: improve compatibility with Linux Standard
Base. [RT #18793]
2502. [cleanup] isc_radix: Improve compliance with coding style,
document function in . [RT #18534]
--
Evan H
rg/isc/bind9/9.5.1-P2/BIND9.5.1-P2.debug.zip.sha512.asc
Changes since 9.5.1-P1:
--- 9.5.1-P2 released ---
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortiu
rg/isc/bind9/9.4.3-P2/BIND9.4.3-P2.debug.zip.sha512.asc
Changes since 9.4.3-P1:
--- 9.4.3-P2 released ---
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortiu
ubstantially more robust, so
hopefully any similar breakages that might have come along in the future
will be stopped before they happen.
I expect this to influence future BIND development too (for example,
dnssec-signzone will probably be learning to print a few more warning
messages when it sees l
0.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/libbind/6.0/libbind-6.0.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is available at:
https://www.isc.org/about/openpgp
Changes since 6.0b1: None.
--
Evan Hunt -- e...@isc.org
Internet Systems
t check out this slide presentation, written by my colleague
Alan Clegg: https://www.isc.org/files/DNSSEC_in_6_minutes.pdf
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-keeping (it ensures that the signing
process can pick up where it left off if it was interrupted by a
crash), it hasn't been.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://
The type number can be overridden by the
sig-signing-type zone option.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
tomic operation support. [RT #19031]
2503. [port] linux: improve compatibility with Linux Standard
Base. [RT #18793]
2502. [cleanup] isc_radix: Improve compliance with coding style,
document function in . [RT #18534]
--- 9.6.0 r
> has PGP key been changed?
Yes, it has. The release announcement contains a link to the new key
(https://www.isc.org/files/pgpkey2009.txt).
We should have flagged the change more prominently, sorry about that.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium,
rly to x86_64 when determining
atomic operation support. [RT #19031]
2503. [port] linux: improve compatibility with Linux Standard
Base. [RT #18793]
2502. [cleanup] isc_radix: Improve compliance with coding style,
re converting from NSEC to NSEC3, both chains would exist, but
as soon as the NSEC3 chain was complete the NSEC chain would be removed.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
htt
r resolvers to come
into compliance. (You might want to upgrade yours to 9.6.1.)
> I use ISCs DLV, is NSEC3 an issue for that?
It was, a while back. It's fixed now.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ion in . [RT #18534]
2501. [func] $GENERATE now supports all rdata types. Multi-field
rdata types need to be quoted. See the ARM for
details. [RT #18368]
2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
x27;s are RSAMD5, that's actually
a protocol violation. dnssec-signzone should have been complaining
all along; it was a bug that it didn't.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-user
Note that in future releases (9.6.2 and higher) you'll need to add
the -P option (meaning "partial") to dnssec-signzone for this to work.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
t may make it into the next alpha release.)
> Also the private type record seems to have changed from 65535 to
> 65534 but this hasn't been updated in NSEC3-NOTES.
Thank you for pointing that out.
--
Evan Hunt -- e...@isc.org
Internet
o. What you want is:
allow-update { !{ !192.168.1.254; any; }; key mykey; }
See http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html
for my hard-to-read explanation of this painful syntax.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
__
crafted update packet will cause named
to exit. [RT #2]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
specially crafted update packet will cause named
to exit. [RT #2]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind
specially crafted update packet will cause named
to exit. [RT #2]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind
7;t
notice the mistake until after publishing.
All of the signatures have been replaced with the correct ones today.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.o
should've been a 2009. Perhaps some people who did
validate the files were similarly incautious.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
(unused))" was in the wrong place
for ia64 gcc builds. [RT #19854]
2614. [port] win32: 'named -v' should automatically be executed
in the foreground. [RT #19844]
2613. [placeholder]
--
Evan Hunt -- e...@isc.org
Internet Syste
which you can do by accident far too easily--simply by forgetting the -3
flag when you re-sign. There's an open bug ticket about this, I plan to
fix it soon.
Thanks for mentioning it.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
of the jitter
window. You can drop -e too, incidentally; since 30 days is already the
default.
(By the way, in 9.7.0a2 the times no longer have to be specified in seconds;
we added suffixes to specify hours, days, weeks, etc. So you could be saying
"-e 30d -i 10d -j 12
7;t be dropped until 7.5 days from now.
Or, if you kept the -j option but scaled it down, to say 20 days instead
of 30, then the earlist expiration times would be 20 days from now instead
of 15, so the -i flag wouldn't hit them for five days.
--
Evan Hunt -- e...@isc.org
Internet Syste
signature and sign the corresponding record again.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
nds() was broken. [RT #19900]
2647. [bug] Remove unnecessary SOA updates when a new KSK is
added. [RT #19913]
2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
2645. [port] "gcc -m32" didn't
. Thank you very much, we'll address it in the next
release.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
hutup_pthreadonceinit is needed. [RT #19037]
2505. [port] Treat amd64 similarly to x86_64 when determining
atomic operation support. [RT #19031]
2504. [bug] Address race condition in the socket code. [RT #18899]
2503. [port] linux: impr
> Apparently, support for the new algorithms RSASHA256 and RSASHA512 is
> not included? Is it planned for 9.7 or shall I wait 9.8?
That will be in 9.7.0b2.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing lis
uch for the
RFC to be finalized.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
to be final in a little over a month, which is fortunate
timing.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
tting to the journal has
gone away. If it persists for more than one or two events, restart named.
If that doesn't fix it, delete managed-keys.bind.jnl and restart named
again.
I don't know how the journal's serial number would have gotten out of sync
like that. I'll have to
in opensslrsa_todns() were
incorrect. [RT #20394]
2717. [bug] named failed to update the NSEC/NSEC3 record when
the last private type record was removed as a result
of completing the signing the zone with a key.
e've planned for years
to overhaul or rewrite it, add NSEC3 and DLV support, and take out the
#ifdef's, but so far that's always fallen to time and resource limits.
Until we do have a proper DNSSEC-aware dig, you might try "drill&quo
at isc.org has a secure delegation (that is,
a DS record) for dlv.isc.org, but for some reason a query for
dlv.isc.org/SOA got a response with no signatures. Possibly
there's a misbehaving middlebox involved.
--
Evan Hunt -- e...@isc.org
Internet Syst
.asc
Changes since 9.5.2:
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc
.asc
Changes since 9.4.3-P3:
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium
.asc
Changes since 9.6.1-P1:
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium
;t probe the return type of
gai_strerror(3) correctly. [RT #20573]
2744. [func] Log if a query was over TCP. [RT #19961]
2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
for a insecure delegation.
--
Evan Hunt --
nstructions are included in the bind9 distribution, in the file
win32utils/win32-build.txt. I'm not entirely sure these instructions
are fully up-to-date, so if you have trouble, feel free to send a bug
report to bind9-b...@isc.org.
The compiler we currently use for Windows builds is VisualS
;ll add the information to the win32-build.txt file. Good luck.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
0576]
2788. [bug] dnssec-signzone could sign with keys that were
not requested [RT #20625]
2787. [bug] Spurious log message when zone keys were
dynamically reconfigured. [RT #20659]
2786. [bug] Additional could be
Expect a decision in the next few days.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ase note, though, bug reports should be
sent to bind9-b...@isc.org, not bind-users.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
cribes this usage (though I may
have missed one), but in any case it's not forbidden, and it's useful, so...
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
into earlier releases.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
he bug was fixed.
On BSD, the command is:
$ echo -n | b64decode -r | openssl dgst -sha1 -binary | \
b64encode - | sed -n 2p
As of BIND 9.7.0rc2, we'll be providing a new tool (isc-hmac-fixup) to do
this for you, regardless of platform.
--
Evan Hunt -- e...@isc.org
Internet System
> Just to clarify, does this also apply to HMAC-MD5 (block size = 64 bytes,
> digest size = 16 bytes) ?
MD5 is not affected.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
e sooner, actually; I'm just
hedging my bet.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc
] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc
] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc
;d fixed it, then we noticed something we'd overlooked, so we
fixed it again really hard. Consequently it has two CHANGES notes
associated with it: 2828 and 2831.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users
tored accidentally-deleted text in usage output
in dnssec-settime and dnssec-revoke [RT #20739]
2808. [bug] Remove the attempt to install atomic.h from lib/isc.
atomic.h is correctly installed by the architecture
rill
or dig +sigchase) with a trust anchor for the parent, and make sure the
validation process works.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
{suppress = 0}
/zone "whatever.com"/ {suppress = 1}
{if (suppress == 0) print; if ($1 == "};" && NF == 1) suppress = 0}'
Or words to that effect. Works as long as the zones are always formatted
the same way.
BIND 9.7.0 is now available.
Overview:
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.
New features include:
- Fully automatic signing of zones by "named
y); salt is
a chunk of binary data (represented in hexidecimal) that gets appended to
the name before hashing it.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
zone can't have a valid NSEC3 chain. Use "dnssec-keygen -3" to
generate your keys.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
opment branch; we put a placeholder note into the
main branch so we won't accidentally reuse the change number.
[experimental] -- a change we expect to revisit (these are quite rare,
and I believe all of them have been converted to some other tag by now).
--
Evan
second, by making it possible to configure
named itself to generate new keys.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
s fine. By default it installs into /usr/local.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
s opt-out set to zero, per the RFC.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
here's room for both approaches.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
g either
of those things with DNSCurve. When we do, I'll be happy to write the
code.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ually think it'd be much of a horserace if compatibility is all
you're looking for. What'll be interesting is how many queries the root
and TLD servers start seeing for uz5*/NS.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
__
k we'd be worthy of trust
if we made it the default.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
; DNSSEC if it gets information from a DNSSEC signed zone?
Yes, but "don't configure any trust anchors" gets the job done too. If
your configuration doesn't say "trusted-keys", "managed-keys", or
"dnssec-lookaside auto;" anywh
has been changed/added?
Principally:
1) ability to access key by reference
2) (relatively) user-friendly PIN management
3) ported to WIN32
4) separate "crypto-accelerator" and "sign-only" engines (see the 9.7.0
Administrator's Reference Manual, section 4.11
nthreaded, for historical reasons having to
do with an odd interaction between linux threads and linux process
privileges. I expect we'll correct this fairly soon; it's on the
to-do list for 9.7.1.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
work, either:
IIRC, RFC 5155 says that authoritative servers must not answer direct
queries for NSEC3.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
efault on linux too.
In the meantime, as long as you're prepared to watch out for errors of this
type and correct them with judicious use of rm, chown, or named -u, you're
fine.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
ion testing, the best tool I know of is drill, which is
included with Unbound.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
is; that's why
it never appeared to be a problem until now.
Note that sometimes it *isn't* a problem--for example, when you're
signing a zone in two phases, once with a ZSK and later with a KSK. If
that's what's going on in your case, add the -P flag (for "partial&qu
> If there's no built-in, what is the best way to come up with an equivalent?
I think this will work:
acl any6 { ::0/0; };
acl any4 { 0.0.0.0/0; };
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bi
.org, but if you weren't going to be supporting outbound
queries anyway, there's no need for it to do this.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
key will produce produce DS records. You can convert
> between a DS and DLV record using a ordinary text editor.
...or you can also use the -l argument with dnssec-dsfromkey.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-user
want to wait a long time for it, I'd
probably generate the key on some other system and copy it over.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
s you're not building BIND on the system
where you'll be running it, so it would be useless to search the current
system for a random device, so it stops the build. But if you tell it what
device to use, it won't need to search for one.
--
Evan Hunt -- e...@isc.
t--all that bit means is
"go ahead and send me DNSSEC data, it won't hurt me").
I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
If it doesn't, though, try "edns no". You can't have a
;t complete yet. When the server is finished
building the chain, it updates the newly-added NSEC3PARAM record, and
zeroes the flags field. At that point, it's safe to remove the old
NSEC3PARAM record, which will cause the server to remove the old NSEC3
chain.
If inserting a new NSEC3PAR
> >If it doesn't, though, try "edns no". You can't have a DO bit if you
> >don't have a place to put one.
>
> This seems a bit like "my left leg hurts, so i stabbed my right leg".
Exactly. Now you aren't lopsided.
--
ssec-validation" option *is* turned on
by default, from BIND 9.5.0 onward.
You're right that this isn't relevant to Jan's problem, though.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-us
an authoritative name server; it
doesn't apply to queries being sent by a resolver. Resolvers do indeed
set the DO bit unconditionally. Sorry for any confusion caused by my
earlier statement to the contrary.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
> I'm getting the following in syslog, only appears to be happening with
> lookups:
>
> Jun 19 10:58:23 vai named[6508]: error (no more) resolving
> 'sports.espn.go.com//IN': 198.105.192.254#53
That looks like a bug to me. "No more" isn't an error, it's a result code
signaling that some
> You need "auto-dnssec maintain" in the zone statement
Right, or "auto-dnssec allow".
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.or
ccessive queries give me the same order, but with the previous last item
moved up to the first.
RTT (plus other considerations) determines which server a resolver will
choose to use, but that isn't related to the order in which they appear
in the RRset.
--
Evan Hunt -- e...@isc.org
Intern
to find a useful target, then give up.
This has the side effect of cutting off a legitimate CNAME chain
at 17 records, but such a chain is pretty unlikely to occur in
nature.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users
.iana.org/instructions/ for details)
and compare it against what you've got in your configuration now.
The key I see in their zone right now (key id 46846) matches the
one in the ITAR.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
};
The equivalent managed-keys statement is:
managed-keys {
. initial-key 257 3 8 "[gibberish]";
};
(The extra keyword is there because we were thinking we might want to
extend the syntax someday and add other methods for intiializing trust
anchors.)
--
401 - 500 of 569 matches
Mail list logo
