Algorithm roll-over, unexpected content in dsset-file

Hi, Running BIND 9.14.4 on Gentoo. I've been running BIND and DNSSEC for a long time. Years ago - I changed from Algorithm 5 to 8 and am now changing from 8 to 13. My ZSK's have a lifetime of 34 days and my KSK a lifetime of 370 days. I've chosen to create a new ZSK every 17 days and KSK ever

Re: Algorithm roll-over, unexpected content in dsset-file

(Combined Signing Key), see https://tools.ietf.org/html/rfc6781#section-3.1 and https://tools.ietf.org/html/rfc8499#section-10 I don’t know exactly know what are you trying achieve, but adding only ZSK with new algorithm serves no purpose. Ondřej -- Ondřej Surý — ISC On 11 Aug 2019, at 1

Re: DNSSEC basic information

On 2019/09/23 23:00, John W. Blue wrote: Jukka, Some odds n ends in no particular order: 1. DNSSEC was designed for external zones 1) I'd also suggest using Algorithm 13 - Elliptical Curve - for any new key creations dnssec-keygen -a ECDSAP256SHA256 ( -f KSK) Zone.being.signed This

Re: function in DNS to provide an answer depending on the source of query.

Views (with source views) can do this. Once had a config with five views - terrible idea. On 2019/12/05 09:57, Harshith Mulky wrote: Hello, Is there a possibility to achieve this from a DNS If Carrier A (source IP: A.A.A.A) sends NAPTR query X to DNS, then DNS replies NAPTR response Y.

Re: How to set up a dmarc record ?

The reason why is because you don't have a '.' at the end of "_dmarc.pasteur-cayenne.fr" so what you really have in your zone file is... "_dmarc.pasteur-cayenne.fr.pasteur-cayenne.fr." Another way of seeing this would be to do an AXFR of your zone - these mistakes then jump out at you! Why d

Re: Changing DNS servers (name only) for a DNSSEC enabled domain

If the IP addresses of the DNS servers (dns[123].olddomain and dns[123].newdomain) are staying the same - then you only need to send an update to change your domain from being hosted at olddomain to newdomain. Ideally, the newdomain would be created first (pointing to the same IP addresses as i

Re: TLS Statistics

Seems like an excellent idea. I've added  an additional "Thumbs Up" to the ISC web page linked below. Perhaps others might do the same so this already two year old idea can be implemented a bit sooner? On 2023/08/02 10:00, Richard T.A. Neal wrote: Hi Florian, This feature doesn’t yet ex

Zone stats

Hi, I'm writing some software to be able to read information from a Zone file. I am a legally authorised Secondary Authoritative Nameserver for a number of domains or rather zone files, eg. EDU.ZA (and others). Is there an easy way to:- 1) Count how many delegated domains there are (Names wi

Re: Zone stats

riting in PHP and already use a similar PHP "NET::DNS" type library so shouldn't be difficult. Yes - this will go into a Database - etc.. On 2023/08/22 02:10, Timothe Litt wrote: (Sorry for the duplicate/reply without context).  See below. On 21-Aug-23 11:11, Mark Elkins

Re: Facing issues while resolving only one record

To disable DNSSEC validation for a domain from the command line - I use:   dig +cd eportal.incometax.gov.in Works as expected. Better answer is to get them to fix the problem. On 2023/08/30 17:08, Bob McDonald wrote: Turning off validation for that domain fix

Re: DNSSEC setup for stealth master and multi slave/recursive - Multiple DS keys?

Couple of things... Use the words Primary and Secondary... don't use Master and Slave - as it upsets many people. (I teach DNS/DNSSEC and still say dumb things at times, and I live in South Africa) The Secondary Nameservers should not have any additional DNSSEC configurations if the Primary

Re: DNSSEC signing of an internal zone gains nothing (unless??)

Hmmm - might be saying the wrong thing but... .SE was DNSSEC Signed waaay before the root, so if living in Sweden, one would prep your DNSSEC aware resolver with the DS Key of the .SE Zone. DNSSEC then worked for .SE domains. Perhaps do the same? I do get confused further down in this email w

Re: DNSSEC adoption

I generally agree with you - comments in line On 8/3/22 5:56 PM, Peter wrote: I see a two-fold issue with DNSSEC: 1. The wide-spread tutorials seem to explain a key rollover as an exceptional activity, a *change* that is infrequently done. And changes, specifically the infrequent ones,

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

Yes - I think "automated" in-line signing would be useful in "dnssec-policy" run zones. We didn't need this some versions of BIND ago ( I had to add it recently on a zone that I've been testing with - untouched from a year or so ago) We don't generally edit the signed zone - just the unsigned

dnssec-policy - KSK rollover

Hi people, I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy I have put the following policy in my named.conf file:- dnssec-policy "ecdsa256-policy" {     signatures-refresh 5d;     signatures-validity 14d;     signatures-validity-dnskey 14d;     dnskey-ttl 3600;     publish-saf

Re: dnssec-policy - KSK rollover

records in the Parent. Personally I like to keep the CDS in the child zone, so you can see if the parent is in sync, that is why I implemented it in BIND 9 to keep the CDS. Best regards, Matthijs On 23-11-2022 18:24, Mark Elkins via bind-users wrote: Hi people, I have read https://kb.isc.or

Re: dnssec-policy - KSK rollover

OK - so I read RFC7344... Automating DNSSEC Delegation Trust Maintenance There are two interesting paragraphs. _/5.  CDS/CDNSKEY Publication/_/ // //   The Child DNS Operator publishes CDS/CDNSKEY RRset(s).  In order to// //   be valid, the CDS/CDNSKEY RRset(s) MUST be compliant with the rul

Re: Primary/Secondary

I attended my first DNS Training course presented by Bill Manning at ICANN Rio de Janeiro March 2003. In December 2004, ICANN came to Cape Town - and Johan Ihrén (now Stenstam) and Bill Manning taught DNS together. Anyway, we (UniForum S.A. - now ZARC) started presenting DNS Training in South

<    1   2