Any keys found in managed-keys.bind that don't have
a matching key name in in named.conf are removed.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
lgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
(Except, you know, get the key text from a secure channel or from the
signed bind9 distribution, not from email...)
--
Evan Hunt -- e...@isc.org
Intern
let's just say "unwieldy". Best
to segregate them into a directory where you don't have to look at them.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
one. When it disappears, BIND starts a 30-day
timer. At the end of that time, if the key hasn't reappeared, it's purged
from the managed-keys database.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing l
> Is there a patch for bind 9 to add new zones dynamically without
> having to run rndc reconfig?
This feature is being added in BIND 9.7.2. It's available now in the beta
version, 9.7.2b1.
--
Evan Hunt -- e...@isc.org
Internet Systems Cons
> Note that the syntax for this set of tools (dynamic zone creation) is a
> bit in flux and may be completely changed between 9.7.2 and 9.7.3.
For that matter, I expect it to change significantly before the final
release of 9.7.2.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortiu
ubmitted the patch to us
has been using it in production for quite a while...)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ion. Is bind result
> correct? could you please clarify me.
It's "correct" in the sense that it isn't a protocol violation. But it's
"incorrect" in the sense that duplicate data is inefficient, so maybe
it's a bug that BIND did that. Send it to bind
gchase" isn't good code.
I expect we'll be removing it in a future release.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this lis
On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote:
> On 10/12/16 13:36, Evan Hunt wrote:
> > I recommend using "delv" instead. "dig +sigchase" isn't good code.
>
> ? well that is news to me :-\
It's code that was contributed over ten
ntify the error.
Can you please open a ticket by mailing bind9-b...@isc.org? It would
be easier to discuss it there.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to uns
imitation, but I don't see it in
the ARM; my apologies for that oversight.)
We've had a feature request in our queue for some time to make it possible
to configure forwarding via rndc. Hopefully in 9.12.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
1-05T22:01:35.313Z",
"config-time":"2017-01-05T22:01:35.380Z",
"current-time":"2017-01-05T22:18:37.498Z",
"version":"9.11.0-P1"
}
$ curl http://localhost:/xml/v3/status
2017-01-05T22:01:35.313Z2017-01-05T22:01:35.380
ssible to configure that in BIND. You could set up
a cron job to renew an NTA periodically, though.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from th
s, but to do that we have to
understand those needs, so please let us know what yours are. Thanks,
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
t of downloading all the files for each release, but don't
actually use the XP builds. If that turns out to be the only explanation
I hear, then we'll drop XP support after the upcoming releases are final.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
quiet. Do you run lwresd or named-with-
lwres? Do you have code that links with liblwres? If so, please let me
know.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to un
d it would also
need a DNSKEY at zbc.com, which would be occluded by the cached CNAME, and
DNSSEC validation would fail.
(This is more or less the exact use case for the proposed ANAME record.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
If you're building with crypto disabled, would you mind contacting me,
either privately or on list, so we can have a conversation about why you
chose that option?
My guess is this isn't something anybody needs anymore, but in the
interest of due diligence I'm prepared to be edu
s libbind anymore.
What's the purpose of this? Why not just use BIND 9, or some other
existing resolver?
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
y, I can't really recommand
either solution. I'd probably just use dnsmasq and turn on its DNSSEC
validation option.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-use
ith my client application? Any reference.
If you need it to be built in to your application, I'm not sure. Warren's
suggestion of using getdns-api was a better idea anyway.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
P
ery { any; }; in each zone?
>
> Is that better than simply setting the IPs that are allowed recursion?
The usual approach is allow-query { any; }; and allow-recursion
{ localhost; localnets; };
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
__
vulnerable to a crash bug
in the recursive code.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc
h above got rid of the second problem, but brought back the first
one.
Apex CNAMEs are bogus, of course, but we do need to cope with them when
they appear. We're going to revisit this issue in 9.12.2, once we've
figured out how to solve the one problem without causing the other one.
--
E
t; provide a nice speed-up, as well as allowing the validator to avoid
> looking into insecure subtrees, which will have the side-effect of
> avoiding problems with apex CNAMEs.
Yep, that's one of the approaches we've discussed.
--
Evan Hunt -- e...@isc.org
s
on whether domain registrars make use of it.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.
contributions would speed things up.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists
rk on building BIND packages for various
distributions, and while we're still testing the process and haven't
started publishing them yet, I do have an experimental 9.11.2-P1 RPM
that you can try out if you like.
--
Evan Hunt -- e...@isc.org
Internet
ts 'welcome' file, because
> BIND doesn't seem to be distributed from there anymore.
As others have already pointed out, it's still there: 'cd isc/bind9/$version'.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
On Fri, May 04, 2018 at 04:19:43PM +, Evan Hunt wrote:
> You're right, something's broken. I see it too, and not just on chrome.
> I'll escalate. Thanks for bringing this to our attention.
It's fixed now.
--
Evan Hunt -- e...@isc.org
Intern
re modified between
9.12.1 and 9.12.1-P2 are:
lib/dns/rbtdb.c
lib/dns/zone.c
lib/ns/include/ns/query.h
lib/ns/query.c
And all other differences are from rebuilding the documentation with the
new version number.
--
Evan Hunt -- e...@isc.org
Internet Syst
isn't transferred at all. There's a
single copy of the zone in memory, and both views have pointers to it.
You can still use the file option.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.
n your internal
and external views, then views are unnecessary. Just use
"allow-recursion { localnets; };" and external queries won't be
allowed to do recursion.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit
27;t care about opcodes, and "query" is the same
as "request".
I can't think of any reason not to tap update requests, but I do
wonder whether an extension to the type enum would reduce confusion.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
export
requirements for crypto libraries, which meant openssl wasn't available
on all platforms, and I've always guessed it was because of that.
No longer an issue, anyway.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please
by using "configure --without-openssl".
There will be features you can't use. They're good features, and in my
opinion disabling them is a mistake, but you are allowed to do so.
In BIND 9.13, the option to disable these features no longer exists.
--
Evan Hunt
gt; you mentioned below (not that I really want to). Is it a 9.12 onwards
> thing?
No, but Mark's comment may have been confusing. You can set up keys
that way in named.conf ("algorithm hmac-md5-96;" or whatever). At first
I thought he was talking about tsig-keygen; perh
ds?
If not, run "rndc-confgen" and follow the directions.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing lis
of text, but
since "secroots" already existed before that change, we left its default
behavior the same as it had been before, and added a "-" option to return
text over the command channel.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
uot;). It's fixed in the upcoming release.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
the test -- they would have been deleted
if it had passed but should still be there now -- which can also be
used to work out what went wrong.
If you want to just tar up bin/tests/system and send it to me, I'd be
happy to take a look.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortiu
e synth-from-dnssec doesn't exist in 9.11, there must be another cause
in your case. Very sorry for misleading you. How often are you seeing this?
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/
ct the
> authoritative behavior. But I don't understand, why this happens when
> "minimal-responses no;" is configured.
Authoritative or recursive? Can you give a specific example
of a query that isn't getting an additional section and should
re was a reason for the change that I've forgotten,
but I think we intended to leave the "no" behavior alone. Thanks for
bringing it up, I'll open a bug ticket about it.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
rs not to use
EDNS when talking to that specific server. That option will still be
available after flag day.
An easy way to check would be to install the latest BIND development
release (version 9.13.5) and see if it works. It already has all the flag
day changes in it.
-
others. I'd need to know what database you're using and
what kind of zones you're serving (big or small, DNSSEC signed or not,
high-traffic or not) to be of much help.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
ure, but so
far we've hesitated out of skepticism that ECS is a good idea that will be
needed very much in the long term - we don't want to have to support it
forever if it fizzles. But we do revisit the conversation periodically.
--
Evan Hunt -- e...@isc.org
I
t; paradigm, so I' not sure if every assertion failure can cause BIND to
> crash and is there any mechanism in BIND that can just drop the event
> which triggers an assertion failure and move on to other events? Thanks.
An assertion failure is always a crash.
--
Evan Hunt -- e...@is
ot;).
|
| Keys that do not match the root zone name are ignored. An alternate
| key name can be specified using the +root=NAME options.
So if you add +root=newdomain.bell.ca it should load the key.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_
's useful,
but I think Grant was suggesting having named itself dump its current
configuration state, which would be useful in a whole different way.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.o
elevant
code and comments in configure_view() you might see how easy it is to be
misled.)
I actually do still think that *ought* to be the rule for allow-update,
but it wasn't, so when I cleaned things up I cleaned them up wrong, mea
culpa.
--
Evan Hunt -- e...@isc.org
On Sun, Apr 14, 2019 at 05:35:42PM -0700, Carl Byington via bind-users wrote:
> named-checkconf likes that, but named gets a segfault in filter-.so.
> Anyone using filter-.so in a working configuation? The log shows:
>
> Apr 14 17:15:18 ns named[29299]: mem.c:1795: INSIST(mpctx->allocated
-minimization relaxed" really ought to be able to work around this,
though, and I thank you for bringing it up. You can file a bug report at
gitlab.isc.org/isc-projects/bind9/issues if you wish.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
or a private corporate
domain. AIUI, there are some people doing that; I don't know how many.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from th
ew syntax will be available in
BIND 9.15.1, which should be out next week; the old syntax will be
phased out later.)
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to uns
the case when an option must
removed, and how to ensure operators aren't blindsided by that.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this l
d probably
be okay with it.
But a standard policy that covers all deprecated options would need
to be stricter than "enh".
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo
is may be?
It's a bug. I see the same result. Thanks for pointing it out, I'm
looking into it.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
fr
On Sun, Jun 23, 2019 at 05:01:11PM +, Evan Hunt wrote:
> It's a bug. I see the same result. Thanks for pointing it out, I'm
> looking into it.
Ah, I see the problem. You overrode the default policy by using the name
"default", but you didn't set a "coverag
eload" loads the zone from the master file *plus* the journal file,
if there is one. There's no need to sync the journal file to the master
file before reloading.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote:
> Is there any way to tell my resolver it shouldn't be validating
> responses for foo.local?
In 9.11, no. In 9.14, you can use "validate-except { local; };"
--
Evan Hunt -- e...@isc.org
Internet Sy
On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote:
> In 9.11, no. In 9.14, you can use "validate-except { local; };"
(Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
on a given domain, but negative trust anchors expire after a while, so yo
nsecurely when it's
been misconfigured.
In newer releases there's also a configuration option, "validate-except",
which permanently disables validation below specified domains. This can
be used, for example, if you have an internal net
On Tue, Sep 24, 2019 at 03:15:42AM +, Evan Hunt wrote:
> Six years is a long time, I've probably forgotten a few.
Oh here's one: "dig +sigchase" is dead now, use "delv" to check DNSSEC
validation chains.
--
Evan Hunt -- e...@isc.org
l module, but views are easier.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists
, but the change should be detected
and handled correctly when upgrading, and there's a tool for upgrading or
downgrading manually if needed (named-journalprint -u and -d, respectively).
There was also a "map" file format for a while, and it was much touchier,
but it's be
you, though. I don't think I've
understood what you're trying to do.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with p
zones
> we have, we know do not use dnssec and queries fail if it's not set to
> no.
"validate-except { domain1; domain2; ... };"
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
501 - 569 of 569 matches
Mail list logo
