Re: DNSSEC Generating Zone Key hanging

On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote: > On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote: > >Hello, > >I was setting up BIND DNSSEC and when I issue the following command the > >process never finishes. > >dnssec-keygen -a RSASHA1 -b 1024 -n ZONE examp

Re: DNSSEC Generating Zone Key hanging

On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote: > Thanks a lot, I have now resolved this issue. However, I was following > the DNSSEC in 6 minutes guide [1] > for learning purposes and I have followed all the steps up to "you are > now serving DNSSEC signed zones". Reading the presenta

Bind 9.9.x inline signing

Eventually got down to some experimenting again. These are observations - which may help others. I followed example 1 of Evan Hunts https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html (I'm using bind 9.9.1) I did change the name of the zone and didn't bother with

Re: VMware & Bind

Just make sure you have an adequate supply of Randomness if playing with DNSSEC (or any key generation stuff). On Tue, 2012-06-05 at 13:33 -0400, jcarrol...@cfl.rr.com wrote: > Technically VMware is not the OS but the hypervisor that controls other OS's, > such as Windows or Linux. I've implement

Re: Bind 9.9.x inline signing

with SHA256 rather than SHA1, thus my 'dnssec-keygen' invocation looks like: dnssec-keygen -a RSASHA256 -b 1024 dnssec-keygen -fk -a RSASHA256 -b 2048 So I have a beautiful NSEC managed zone - on to test with NSEC3! On Sun, 2012-06-03 at 18:01 +0200, Mark Elkins w

Re: Verify raw data within slaves on 9.9.x

On Mon, 2012-06-11 at 15:51 -0700, Walter Smith wrote: > Folks, > > > What tools/commands I can run to get plain ascii/text data out of > modern raw/binary on BIND 9.9.x slaves? > I just want to verify that changes are correct down to the slaves. So > - I can check-in these changes into svn etc.

Re: Seeking Advice on DNSSEC Algorithm Rollover

On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote: > I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. > The Bv9ARM doesn't discuss this procedure explicitly as far as I can > tell, but section 4.9 presents some clues. I'd like to ask the experts > on this list if th

Re: rndc signing -nsec3param

Have a look in the BIND log files when you are doing this Look for lines containing: zone_addnsec3chain for example, try changing just the salt... (which is something one might do periodically...) It all starts to make more sense. I agree with the original posting thought - some more example

Re: Version statement...

I don't understand the problem... Before I changed my 'named.conf' and added a 'version "BIND";' line to the options section - I got... dig @localhost chaos txt version.bind +short "9.9.1-P2" Stopped and restarted BIND, Now I get... # dig @localhost chaos txt version.bind +short "Porcupine Meat

Re: ho to filter hundeds of domains ?

On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote: > On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: > > On Thu, Aug 30, 2012 at 03:16:32PM +0200, > > fddi wrote > > a message of 15 lines which said: > > > >> Actually many telephone companies in the world are doing this, > >

Re: Suspecious DNS traffic

Maybe I can try. In the very old days - when BIND as a recursive resolver was chasing down an answer to a question, it would sent the remote authoritative DNS server the query in a UDP packet which has a query ID which was numbered sequentially. This was bad as bad people could guess your next qu

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

Try using a more simple MD5, short key. Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA) There was also some sort of length bug? - try 128 bit length. On Fri, 2013-03-29 at 06:19 -0600, Jim Bucks wrote: > After working on this some more overnight. > > I can add records interac

Re: Understanding Kaminsky exploit w/bind

On Sun, 2013-04-14 at 21:30 -0500, Jamie Ostrowski wrote: > > > > Hello, > > > I hope this isn't too off-topic, but I've been studying the Kaminsky > DNS exploit and I have a question. > > > According to what I've read on the topic, the Kaminsky exploit > hijacks a whole domain, and that

Re: ISC Courses

If you live in Africa and can get South, ZACR (UniForum SA), the "co.za" registry people provide free DNS Courses in Johannesburg and Cape Town. You still have to cover personal travel, food and lodging though. These are proper DNS training courses, three day Intro and four day Advanced courses. Th

Re: Reverse address entries

On Fri, 2013-06-28 at 17:54 +, Ward, Mike S wrote: > Hello all, is there any reason to setup reverse address entries for a > zone? I have asked some of the admins here and the consensus from them > is that only A records are necessary. Is this true? (IPv4 hat on) I've taught my staff to plan u

Re: Audit the consistency of zone files on DNS servers

On Fri, 2014-03-14 at 14:54 -0400, Kevin Darcy wrote: > On 3/14/2014 2:39 PM, Maren S. Leizaola wrote: > > On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote: > >> On Fri, Mar 14, 2014 at 12:33:47PM +, > >> Phil Mayers wrote > >> a message of 25 lines which said: > >> > >>> dig @server zone a

Re: BIND 9.10.0b1 is now available

On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote: >A new compile-time option, "configure --enable-native-pkcs11", >allows the BIND 9 cryptography functions to use the PKCS#11 API >natively, so that BIND can drive a cryptographic hardware service >module (HSM) directly instea

Re: BIND 9.10.0b1 is now available

On Mon, 2014-03-17 at 20:06 +, Evan Hunt wrote: > On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: > > Yes, it was my understanding of how HSM worked. That's why I was trying to > > build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one > > side, and PKCS11 i

Re: High recursive client counts

This might be a dumb answer but as the machine is part of a virtual server, perhaps you have simply run out of entropy? I know its a Resolver... but isn't perhaps BIND using Entropy to randomly talk on different ports to get answers? What about installing the 'haveged' package, www.irisa.fr/caps/p

Re: tsig-key

If it was and is now no longer working, re-sync/reset your clock on the machine. TSIG needs the clocks (your PC time) correct to within 5 minute.. On Tue, 2014-06-10 at 18:56 +0300, Mohammed Ejaz wrote: > > < > < > < > < > < > < > <#secret "ODvOnAg9F2j2Y09jTQ

Re: A record of domain name must be name server ?

On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote: > No, what I'm saying is that if > > example.com owns an A record 203.0.113.48, and > www.example.com owns an A record 203.0.113.48, then > > where does 48.113.0.203.in-addr.arpa point? > > Some people will point it at example.com, some will

Re: A record of domain name must be name server ?

kes sense for a PTR RRset to contain a *single* RR. I would still disagree. When there is forward<-->reverse checking, one may need the complete answer. I certainly have some processes that do an exhaustive check. - Kevin > > On 9/11/2014 3:45 AM, Mark Elkins wrote: > > > O

Re: tsig indicates error

On Fri, 2015-07-24 at 11:05 -0400, Alan Clegg wrote: > Possible problems: >Mismatched keys. >Mismatched key names. >Mismatched clocks. Yes - running some sort of Time Synchronisation is often overlooked. Check: Simultaneously run "date" on both machines - must be within 5 minutes of ea

Re: tsig indicates error

On Fri, 2015-07-24 at 15:44 +, Managed Pvt nets wrote: > > > On 24/07/2015 5:05:24 PM, "Alan Clegg" wrote: > > > Possible problems: > >Mismatched keys. > >Mismatched key names. > >Mismatched clocks. > > Most likely mismatched key. I have to figure out how to make sure my >

Re: Can I run two name servers on one host with two IP addresses?

On Thu, 2015-08-20 at 09:50 -0500, /dev/rob0 wrote: > On Thu, Aug 20, 2015 at 02:07:57PM +0200, Robert Senger wrote: > > There are a number of providers out there offering secondary > > dns services for free or for a few bucks/month. Even DNSSEC > > is possible for free. > > This is good news! I

Re: About query response on a view

If you ever want to do DNSSEC - you are going to have a problem. If possible - have two different servers, one for inside, one for outside. This could be: (1) Two different machines (2) One machine - virtualised - each of the two virtual machines logically like (1) (3) One machine with two IP add

Re: About query response on a view

s, but separating them with views isn’t a good solution? > > @Eray Aslan, additional-from-cache and additional-from-auth settings > did the trick, now server gives “query refused” > > @Barry Finkel, yes I typed dig ww. At that point, every recursive > query gives the same output.

Re: Trouble with option managed-keys

"managed-keys" is not a config option, try moving it outside the option stanza, eg options { version ""; // remove this to allow version queries listen-on{ 127.0.0.1; 192.168.21.101; }; listen-on-v6 { none; }; empty-zones-enable yes; allow-query

BIND-9.16.1 & KASP

Hi all, I have been experimenting with BIND-9.16.1 & KASP. So far - it really looks great and it should greatly simplify DNSSEC for the masses. My named.conf entry:- dnssec-policy "ecdsa256-policy" {     dnskey-ttl 3600;     keys {     ksk lifetime unlimited algorithm ecdsa256;     zs

Re: BIND-9.16.1 & KASP

Thanks for the reply On 2020/04/14 08:42, Matthijs Mekking wrote: Mark, On 4/13/20 8:54 PM, Evan Hunt wrote: On Mon, Apr 13, 2020 at 02:22:53PM +0200, Mark Elkins wrote: Question - What are the "TYPE65534" records? What are they saying? I am using "DiG 9.16.1" so

dnssec-keygen getting dates wrong

Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much up to date. dnssec-keygen - Version: 9.16.6 I create DNSSEC Keys in a manual process and in order to see when a Key was created (so I can rotate them - etc..) I look at the Creation date inside the 'key' file # dnsse

How do I insert "CDS 0 0 0 0"?

What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND. Version - BIND 9.16.6 (Stable Release) I've read RFC8070 - which says... (https://tools.ietf.org/html/rfc8078) The contents of the CDS or CDNSKEY RRset MUST contain one RR and only contain the exact fields as shown belo

Re: Serial number question..

I was wondering if there was any significance in the SOA serial value $ date --date='@1297117089' Tue Feb  8 00:18:09 SAST 2011 $ date --date='@1762233707' Tue Nov  4 07:21:47 SAST 2025 ...so nope (but sort of close?) Personally - I try and use a MMDDxx format in my SOA Serial number -

Re: Bind 9.11 serving up false answers for a single domain. (OT)

I think getting rid of SHA1 DS (DS type 1) records would be a reasonable thing to do. They are weaker than SHA256 DS (DS type 2) records. Generally, in life, making things simpler is a good idea and I believe that applies here too. .COM only provides DS type 2 records in the root so if there w

Re: DNSSEC upgrade

Waiting twice the TTL is the safe option. Start counting from when you see the new DS record in the parent. To be even more pedantic, start counting after all authoritative Nameservers have the new DS record... Quite easy to do from a script. And the recommendation to move to ecdsa-p256-sha256

Re: DNSSEC implementation on IPv6 PTR Zones

And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC. One suggestion though. When one signs an IPv4 reverse - use NSEC - as everyone can guess what is there anyway. With IPv6 - you might want to use NSEC3 - as there can be huge holes in the reverse zone. Make the bad guy

Re: Change records in DNS slave if master is offline

Apart from master/slave now being Primary/Secondary  (mindset change after 25 years of DNS management) ... I kind of like the idea - except if the Primary server is DNSSEC Signing that zone (and DNSSEC is a really smart thing to be able to do) then editing a Secondary is not a very simple

CDS records created from ZSK records?

I've just noticed that in the last few days that "BIND 9.16.22 (Extended Support Version) " appears to be generating CDS records for both KSK ***and ZSK*** records! Nothing on my side has been changed although I do run automated updates. I'm on a Linux machine running Gentoo. $ dig DNSKEY ED

Re: CDS records created from ZSK records?

--- ... but until there is a trigger system so I can call code to do an EPP based KSK rollover to the parent, will keep what I've got as it (usually) works. On 1/25/22 12:58 AM, Mark Andrews wrote: On 25 Jan 2022, at 07:35, Mark Elkins wrote: I've just not

Re: Can't modify an existing SPF record

There can only be one SFP TXT record per domain. A complete record could look like. domain1.com.  IN    TXT   "v=spf1 a:mail.domain1.com a:smtp.domain1.com a:relay.domain2.com -all" It should be logical to use a (domain) name because that name could have multiple IP addresses, both I

Key ID from DNSKEY - how?

I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to do this in PHP as this is inside some existing PHP (Web) scripts but I guess calling a C program would not be too inconvenient. I'd like to index records (ie DNSKEY and DS Records) according to their Key-ID - and present them

Re: MySQL BIND SDB

Interesting. I store my zones in MySQL (great for maintaining them) but dump them to flat file format to hand to BIND. This allows me to DNSSEC sign some of my zones. (I also hold the DNSKEY records in the DB). How would BIND sign a zone that is in a Database? Can BIND do this? ALL examples of usi

Re: Dynamic zone...

I do this for my Laptops. They can pick up an address from the local network (where ever I am visiting, Airports, Data Centers, friends, work - etc) and then update the info back home on my own network. Basics - when DHCPCD gets an IP from upstream - it uses nsupdate to send this info to a dynamic

Re: Dynamic zone...

On Fri, 2010-12-31 at 09:56 +0200, Mark Elkins wrote: > I do this for my Laptops. They can pick up an address from the local > network (where ever I am visiting, Airports, Data Centers, friends, work > - etc) and then update the info back home on my own network. > > Basics - when

DNSSEC Keys - and trying to not leaving them around

There are some parts of Key management with DNSSEC that I don't quite get - so I'm hoping for some feedback. I'm using BIND 9.7.2-P3 and running "dnssec-signzone -3 "abcd" -o example.com -p -t -A example.com" I believe that:- 1 - The KSK is used to sign the ZSK. 2 - The ZSK is used to sign the re

DNSSEC's sorted zone

Still playing with DNSSEC and signing zones. I'm resigning an already signed zone. I'm doing this on a hyper-threaded 4-core i7 (Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz) which under linux gives me 8 cores. I'm using the command: dnssec-signzone -3 "abcd" -o example.com -p -t -A -d keyset -g -a

Re: IPv4 & IPv6 named processes on a dual stack host

On Tue, 2011-05-24 at 13:22 -0500, Timothy Stoddard wrote: > Has any one run into a issue with two named processes running on the > same host. We want to begin serving up DNS on our IPv6 address space > and do not want to duplicate each of our DNS servers. We have started > two named processes o

Re: How to Setup a Name Servers visible on Internet?

Eric, Did you know that UniForum SA (the CO.ZA administrators) provide free DNS classes for people that live in South Africa? (Intro and Advanced). So you'd need to get over to Johannesburg and/or Cape Town and pay for some accommodation - but the courses are free. You can see and book for the co

Re: Format of the IPv6 reversed zone

On Thu, 2011-07-28 at 14:07 -0400, Khuu, Linh Contractor wrote: > Hello, > > I’m new to IPv6 configuring in BIND. I need help. The forward zone is > simple enough with record, but the reversed zone is a bit > confusing to me. > > For example, I want to add a hostname of www.example.com to

Re: CNAME or A record?

IPv6 - duplicate the above... (this line next to the other "NameVirtualHost" NameVirtualHost [2001:1:1::80] ServerName domain.com ServerAlias www.domain.com ... -- Mark Elkins Posix Systems ___ Please visit https://lists.isc.org/mailma

Re: DNSSEC Signing & Key Questions

k > you in advance. > > > > Thanks, > > > > -Kevin > > > > Kevin McConville > > University at Albany > > > > > > > _______ > Please visit https://lists.isc.org/mailman

Mixing Algorithms for DNSSEC

everything is OK. Bug? Simply how it should be by design? This really disturbs me - these Keys take ages in the real world to migrate using reasonable timings - do I have to Zap all my Keys - redo all zones. Is this always the case when an Algorithm changes? Versions: BIND 9.7.3-P3, dnssec-k

Re: Mixing Algorithms for DNSSEC

On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote: > > On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins wrote: > Basically - create a KSK and ZSK with RSASHA1 - Sign - and > visibly check > the results. > Add a new KSK using RSASHA256 - prep

Re: Mixing Algorithms for DNSSEC

h the RSASHA256 algorithm - then just switch over to creating KSK's with RSASHA256 as well. I just never knew switching Algorithms would bite me. No one ever told me. On Sat, 2011-10-15 at 20:58 +0100, Matthew Seaman wrote: > On 15/10/2011 20:32, Mark Elkins wrote: > > So what you are

Re: Mixing Algorithms for DNSSEC

On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote: > On 10/15/2011 08:32 PM, Mark Elkins wrote: > > > > So what you are saying in practical terms is in order to migrate from > > RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which > > cycle once

Re: Strange issue with signed zone

On Wed, 2011-10-26 at 13:59 +0400, Peter Andreev wrote: > Hello! > > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we have > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. > Recently we realised that our servers don't generate NSEC3 for signed zone. > Problem has gone af

Algorithm 'When to use EDNS0'?

I'm Running Bind 9.7.3-P3 (Gentoo build)... When does 'EDNS' get brought into the picture? A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) - but a dig without '+dnssec' and actually asking for the 'dnskey' records for a domain - which is over 512 bytes - does a "Truncated, re

Re: dnssec-keygen not responding

On Wed, 2011-11-30 at 13:45 -0600, Michael Graff wrote: > On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote: > > In RHEL there is a RPM package called unuran. > > It's a random number generator daemon using either a piece of hardware or > > /dev/urandom as source. Running this will provide enough

Re: Algorithm 'When to use EDNS0'?

On Tue, 2011-11-29 at 15:36 +0200, Mark Elkins wrote: > When does 'EDNS' get brought into the picture? > A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) - > but a dig without '+dnssec' and actually asking for the 'dn

Re: DNSSEC authentication and ad parameter

It is working. -- $ dig test.nknsec.in +dnssec ; <<>> DiG 9.8.1 <<>> test.nknsec.in +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4578 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL:

RE: DNSSEC made simple, is this possible?

On Wed, 2012-01-11 at 11:50 -0500, Howard Leadmon wrote: > Thanks, I will head on over and take a look, sounds like something I should > be interested in.Now if FreeBSD would just add 9.9 to the ports > collection, it would save me from having to build it by hand.. I think BIND 9.9 is defini

Re: DNSSEC made simple, is this possible?

On Wed, 2012-01-11 at 19:26 +0100, Jan-Piet Mens wrote: > > Next great thing would be for ISC to support the Soft-HSM that > > OpenDNSSEC uses. I believe that this would make the step of moving to a > > real hardware HSM a lot easier (if necessary). > > BIND has supported the PKCS#11 interface (./

RE: nslookup/dig question

On Wed, 2012-01-25 at 16:57 +, JeanPaul Thomsin wrote: > Antonio and John: > > > > You were right on. /var/log/messages indicated there was a problem > with named.conf. > > I had done a check with named-checkconf and it found no errors, so i > thought it was OK, > > but the logs said othe

Re: bind 9.9 & inline-signing issue..

I agree with you. I took your example and installed bind 9.9.0b2 I also updated my 'soa' in the unsigned... Am getting the following in my log... Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901 Jan 29...: zone test1.co.za/IN (signed): loaded serial 200105 (DNSSEC signed) A

Re: bind 9.9 & inline-signing issue..

with that domain in that directory. Used this for over a year now and it works well for me (organised clutter). On Sun, 2012-01-29 at 23:37 +0200, Mark Elkins wrote: > I agree with you. I took your example and installed bind 9.9.0b2 > I also updated my 'soa' in the unsigned... >

Re: bind 9.9 & inline-signing issue..

On Mon, 2012-01-30 at 13:38 +, Tony Finch wrote: > Mark Elkins wrote: > > > > I also see... > > $TTL 0 ; 0 seconds > > TYPE65534 \# 5 ( 08467D0001 ) > > TYPE65534 \# 5 ( 0896730001 ) > > appearing o

Re: trying DNSSEC with 9.9-rc1

On Wed, 2012-02-01 at 17:18 -0500, Michael W. Lucas wrote: > Hi, > > I'd put off DNSSEC because of the high maintenance requirement. But > with 9.9 and inline signing, it looks like I can now do DNSSEC the way > I need (static zone files that work with legacy tools, automatic key > rotation, etc.)

Using TCP for checking

I'm involved in the CO.ZA Registry. In the process of registering a domain name in the co.za zone - we do a bunch of DNS checks using 'dig'. for each nameserver, a) check that the zone exists (fetch the SOA), b) fetch the NS RRSet count and compare entries. c) if Nameserver inside the dom

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

Does work with bind 9.6.0 - as NSEC3 is available... ; <<>> DiG 9.6.0-P1 <<>> +dnssec @127.0.0.1 SOA gov. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41388 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 1 ;; O

Re: tcp versus udp

On Wed, 2009-05-06 at 07:59 +0200, Stephane Bortzmeyer wrote: > On Wed, May 06, 2009 at 12:00:12AM -0400, > Danny Mayer wrote > a message of 39 lines which said: > > > That's nonsense. > > That's Peter Dambier. If you try to fix every mistake he makes, you're > not over soon... Some people a

Re: [DNSSEC] SERVFAIL when resolving ".gov" through DLV

On Tue, 2009-05-05 at 13:45 -0500, Jeremy C. Reed wrote: > On Tue, 5 May 2009, Stephane Bortzmeyer wrote: > > > This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's > > DLV: > > https://www.isc.org/node/437 Question on using "trusted-keys": There are two public sources of "tru

Re: Automating a KSK rollover

I've added some automation around signing zones. For the KSK - it has a default life of 12 month. I'm looking at having two valid KSK's running with an overlap of 6 month. This means updating dlv.isc.org every 6 months, adding a new key, removing the old key and leaving the key thats 6 months old.

DNSKEY Validation

I'm writing some DNSKEY Verification code in PHP If I am given ... 257 3 5 BQEBoURzbExxQ7B7dwyYIxLKdCUWDrbvBsLOsDvKO2hmJdrzSYIV gd8m +scQO2zD2U6Uw5cL7E+QRCJl48pcA+7k6uuTwSdS11CAR1MkvwC1 NDVmR6vHSp55qKIhov4QljLr66BAYT2K9o0O/+JBhimjAGQ+IUBFMmwB f5lk57YX9T8= (a valid - I hope - dnskey for cozates

Re: DNSKEY Validation

is.net>, Danny Mayer writes: > > Stephane Bortzmeyer wrote: > > > On Sun, Jul 12, 2009 at 08:42:27PM +0200, > > > Mark Elkins wrote > > > a message of 31 lines which said: > > > > > >> Arg 3 should be 5 (or maybe 3) - the algorith

Re: DNSKEY Validation

On Tue, 2009-07-14 at 17:50 +1000, Mark Andrews wrote: > In message <1247555725.13064.4.ca...@ilinux>, Mark Elkins writes: > > OK - so I accept that the algorithm will change. > > > > What about some sort of validation of the base-64 part of the key? > > Is t

Re: about tcp port 53

On Wed, 2009-07-29 at 12:35 +0800, Tech W. wrote: > --- On Tue, 28/7/09, Stephane Bortzmeyer wrote: > > > what's the use of bind's tcp port 53? > > DNS requests and responses. > oh, I was always thinking dns requests and responses are going with udp > protocal. under what condition it uses tcp pr

Re: Format of 'dig -k' "TSIG key file"?

On Thu, 2009-07-30 at 17:40 -0400, Joseph S D Yao wrote: > What does work is: > dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone > @other.example.zone > but I really, really find this not altogether pleasant. This gets a bit more funkie when you are not using the default key-algorithm

Re: is TSIG key rollover possible?

Don't think TSIG Key roll-over is possible - in the DNSSEC sense. Don't think it is as necessary either. I have separate TSIG relationships between my Primary and Secondary peers. I use the same TSIG for all zones that are on both peers - the TSIG is to secure the path between the two peers. I also

Reasonable setup of a dnssec aware recursive resolver

I'm trying to come up with an interim solution for my ISP's DNS Recursive Resolver that is DNSSEC aware. My thoughts so far:- Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux gives me). In order to fetch both iTAR and DLV signatures - use a patched version of WGET that is dnss

Re: Reasonable setup of a dnssec aware recursive resolver

On Mon, 2010-03-29 at 11:17 +0200, Mark Elkins wrote: > I'm trying to come up with an interim solution for my ISP's DNS > Recursive Resolver that is DNSSEC aware. > > My thoughts so far:- > Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux > gives

dig and IDN

O.S. - Lunux Gentoo. BIND/BIND Tools: BIND 9.10.4-P3 I've been using "dig axfr" to fetch signed and unsigned zones for doing comparisons. The output is easy to parse as dig gives one line records - fully qualified - etc. One of the records includes some IDN (Puny) stuff.. xn--caf-dma.dnssec.co.z

Re: Troubleshooting BIND stops responding

On 30/03/2017 06:35, i.chu...@volga.ttk.ru wrote: > Greetings to everyone! > > I'm an engineer at local ISP and we have to provide 2 DNS servers running > BIND for our clients. We have logs full of various BIND errors but are > unable to gain full understanding of the problem. The main problem

Re: named-checkzone with multiple $ORIGIN

Most certainly - Yes. You have a single zone here, thus only: named-checkzone example.com example.com.zone ...should work. Wait till you play with a reverse IPv6 zone - where I personally use many $ORIGIN statements - saves hours of typing and makes reading the Zones s

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Put two reverse records in both the IPv4 and IPv6 reverse zones in the "125.124.123.in-addr.arpa" zone: 126 IN PTR mail.xxx.com. 126 IN PTR ns.xxx.com. and the same sort of thing in the reverse IPv6 zone. To calculate run:- 2a01:e34:::::1122:3344 and see what que

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Another solution could be to make one of the names a CNAME pointing to the other name. -or- Just use one generic name for both services. rather than the two "service" names. Although in all honesty, I see nothing wrong with a lookup returning two answers (in a single response packet) for the o

Automatic Key Management

With BIND version 9.12  coming out - I'm wondering if I've missed any announcements on some form of Automatic (DNS)Key Management? Something that will create and retire keys according to some sort of policy. Does anyone have nice and up-to-date cheat sheets of the easiest way to do DNSSEC with BIN

Re: Automatic Key Management

On 14/09/2017 16:55, Tony Finch wrote: > Mark Elkins wrote: > >> With BIND version 9.12  coming out - I'm wondering if I've missed any >> announcements on some form of Automatic (DNS)Key Management? >> Something that will create and retire keys according to

Re: DNS-Format-Eroor

$ dig mumbai-m.site ns ; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;mumbai-m.site.            IN    NS ;; ANSWER SECTION: MUMBAI-M.site.        3380    IN    NS    win-1ikkrphg9jj. I seemed to have cached o

Re: disable dnssec for particular domain

Thanks for providing the domain name in question (testa.eu). Indeed, port 43 whois shows no nameservers - neither does the web based whois on whois.eurid.eu, though the name does exist in the 'eu' registry system. Dig gives me nothing either... $ dig testa.eu ns +short $ dig testa.eu ds +short

Re: questions on allow-query

Reading between the lines - it sounds like you may be mixing nameserver roles, recursion with authoritative. This is not a good idea and is why other Nameserver software (NSD, UNBOUND and others) either perform one role or the other. I understand that BIND-10 was also designed like this - separate

Re: [BIND] RE: KSK Rollover

It would probably have been more helpful (speeded up finding the problem) if the error message "file 'named.secroots': permission denied" also gave the directory name that it was trying to write to? Just a thought. Sometimes we don't see the obvious. On 09/06/2018 10:58 PM, Brent Swingle wrote: >

Re: [BIND] RE: KSK Rollover

wrote: > Hi Mark, > > Dne 7.9.2018 v 10:49 Mark Elkins napsal(a): >> It would probably have been more helpful (speeded up finding the >> problem) if the error message "file 'named.secroots': permission denied" >> also gave the directory name that it

Re: [BIND] RE: KSK Rollover

ong ago. It looks like someone else also asked the same question but wasn't allowed to change the default behaviour. :-( So, if you are having issues running "rndc secroots", a quick suggestion would be to try appending a 'hyphen' ('-') as an additional argument and

Re: DNSSEC and secondary DNS servers

Some clarification Have you DNSSEC Signed your Domain - that is "covisp.net" because I don't see any DS records for it in the "net" zone. dig @a.gtld-servers.net. covisp.net ds flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 returns the SOA for NET - so I know I got to the r

DNSSEC will eventually generate Identical Key ID's

Just for the record, although I do look from a curiosity point of view for Identical Key ID's once every few month - I've never seen them - until now. Now I have them - generated by BIND within a few days of each other... -rw-r--r-- 1 root root   431 Aug 18 00:03 Kipv6.org.za.+008+46578.key -rw-

DNSSEC and secondary DNS servers

hat are you using to sign your zone with? Maybe I can help. Take a look at https://dnssec.co.za On 09/09/2018 08:59 PM, LuKreme wrote: > On Sep 8, 2018, at 10:21, Mark Elkins <mailto:m...@posix.co.za>> wrote: >> Have you DNSSEC Signed your Domain - that is "covisp.net >

Re: DNSSEC: give KSK from my domain to parent zones

On 10/04/2018 05:03 PM, Roberto Carna wrote: > Hello, thanks to both of you for your help. Now I understand I have to > contact my registrar in order to give it the DS of the KSK. > > Please I have a last question: > > I have two DNS servers running BIND 9.10, they have delegated my own > domain,

Re: Strange DNSsec failure [was incorrectly sent Thursday night]

Works fine for me? - unless its been fixed in  the meantime. This is stock standard bind. Nothing funny at all on both the query machine and the DNSSEC aware resolver. Both run the same version of BIND. $ dig  mx1.comcast.net ; <<>> DiG 9.12.3-P4 <<>> mx1.comcast.net ;; global options: +cm

Re: DNSSEC validation via DLV

I  can't comment on com.au (but looking up the Nameservers, I see the AD bit set - so DNSSEC appears to be in use.. However, co.za (and net.oza, org.za & web.za) which are managed by the ZACR (and DNS) - they are all signed and I personally have domains under these second levels - all running

Re: DNSSEC validation via DLV

your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP). Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/ Mal On 18/07/2019 4:46 pm, Mark Elkins wrote: I can't comment on com.au (but looking u

  1   2   >