See part of the dicsussion Miek and I had at the golang group:
http://code.google.com/p/go/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Status%20Stars%20Priority%20Owner%20Reporter%20Summary&groupby=&sort=&id=3161
The bug seems to be that dnssec-keygen upgraded the fermat prime that
is u
On Wed, 25 Apr 2012, William SAMEN wrote:
Hi, all Bind'ers
i'm just trying to write a bash script which allow me to collect a list of
zones which are signed with dnssec by giving a file of request in argument.
So my problem is that i created my personnal DNS with 3 signed zones when i'm
testi
I've gotten really annoyed at dig not taking the +do option.
Please consider applying this patch, many simple souls like me will
appreciate it a lot :)
Pauldiff -Naur bind-9.8.2-ori/bin/dig/dig.c bind-9.8.2/bin/dig/dig.c
--- bind-9.8.2-ori/bin/dig/dig.c2012-05-08 22:34:19.059392999 -040
On Thu, 21 Jun 2012, Shawn Bakhtiar wrote:
Did you turn OFF SELinux?
That is not neccessary.
I ran the tests with selinux enabled:
E:zonechecks:Thu Jun 21 17:23:31 EDT 2012
I:System test result summary:
I: 2 FAIL
I:45 PASS
I: 2 SKIPPED
Looking at the failed test and
On Thu, 12 Jul 2012, Carl Byington wrote:
But some people want the features in the newest stable version, and
others are installing a new machine with no pre-existing named.conf that
might be broken.
I started with the .spec file from EL6, removed all but two patches, and
now have a 9.9.1-P1 so
Hi,
When using dnssec-signzone manually to sign a zone, I think there is a
case where it does not drop the RRSIGs when I think it should. Image
that dnssec-signzone is used with the old signed zone's RRSIG/NSEC*
data, along with an updated "unsigned" zone.
Let's say we are example.com. At T=0 w
On Tue, 17 Jul 2012, Drunkard Zhang wrote:
I don´t find the ways to limit of queries per minutes on this customer
Is it possible in Bind9 a filtering these queries, to limit the responses
We use iptables doing this, which works fine for us:
iptables -A INPUT -p udp -m state --state NEW -m conn
(I don't think this made it to the list before, mixup of email addresses)
Please consider including this patch,
Paul
-- Forwarded message --
Date: Mon, 2 Jul 2012 17:45:08
From: Paul Wouters
Cc: Paul Vixie
To: bind-users@lists.isc.org
Subject: PATCH: dig warn user
On Mon, 23 Jul 2012, Stephane Bortzmeyer wrote:
The operators of F-root use this on their FreeBSD machines to
rate-limit per source IP:
add pipe 1 udp from any to any 53 in
pipe 1 config mask src-ip 0x buckets 1024 bw 400Kbit/s queue 3
add pipe 2 tcp
Hi,
I'm looking at creating "identical zones" with two independantly
developed dnssec signers (bind + opendnssec). I stumbled upon three
differences, one of which might be a bug in bind.
opendnssec does not easilly allow the DNSKEY RRset to be signed with
both KSK and ZSK. So I was looking at u
On Mon, 17 Sep 2012, Evan Hunt wrote:
Does anyone use dnssec-signzone with -x? If so, can you check/tell me
your DNSKEY RRset?
I just tested it with "dnssec-signzone -Sx example.com" and
"dnssec-signzone -x example.com", on 9.9.2 and 9.7.4, and it worked
as expected in all cases.
Were you si
On Thu, 3 Oct 2013, Casey Deccio wrote:
I would like to apply something similar to a "redirect" zone (for NXDOMAIN
responses)
You are why we can't have nice things :P
We had enough Sitewinders. With DNSSEC on the endnode, your lies won't
be believed anway. What you are trying is wrong, bad a
On Thu, 23 Sep 2010, Michael Sinatra wrote:
On 09/23/10 12:53, Stewart Dean wrote:
On AIX, I'm used to /etc/dns. CentOS seems to place in /var/named. Is
there any blessed, bestofallpossibleworlds place for the zone files. I'm
moving our DNS from from AIX to CentOS/Fedora. I'm inclined to crea
On Fri, 24 Sep 2010, Jason Mitchell wrote:
[...@clueby4.net ~]$ cat /etc/redhat-release
CentOS release 5.5 (Final)
[...@clueby4.net ~]$ yum info bind-chroot
Name : bind-chroot
That's only there as legacy though, to not break updating old systems
that depend on it. The recommended meth
On Mon, 25 Oct 2010, Adam Tkac wrote:
I have seen the “Actualización de ISC BIND 9.7” for the vulnerability with
DNSSEC
Is possible to install the last bind version 9.7 p2 directly in my REDHAT?
Yes, it is. You can download it from ISC site and compile it.
Or use rpm to rebuild the rhel6bet
On Fri, 12 Nov 2010, Alan Clegg wrote:
On 11/12/2010 7:49 AM, David Forrest wrote:
While running BIND 9.7.2-P2 built with defaults on F11
[..]
and, on checking named.conf, I found the entry for br. as:
trusted-keys {
"br." 257 3 5
"AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJBNmpZXP27w7P
On Wed, 12 Jan 2011, Mark Elkins wrote:
dnssec-signzone -3 "abcd" -o example.com -p -t -A -d keyset -g -a -N
increment -s 2011061553 -e 20110210161553 -f example.com.sign-1
example.com.signed
A minute later - I run the same command - but output to a different
file... -f example.com.sign-
On Thu, 13 Jan 2011, Mark Andrews wrote:
dnssec-signzone uses multiple threads to sign the zone a node at a
time. These work items finish in a non-deterministic manner leading
to a different order in the resulting text file being produced.
This is done after the zone was sorted to generate the
On Thu, 13 Jan 2011, fakessh @ wrote:
> I correctly configure my server centos dnssec on with as a
> representative of encryptions dlv isc. my question is relevant and was
> already asked but I have not found the complete answer on google. my
> question is how to include the DS record in the Keys.
On Fri, 21 Jan 2011, Sue Graves wrote:
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view. I.e. i
On Sat, 22 Jan 2011, JINMEI Tatuya / 神明達哉 wrote:
Does this work with DNSSEC if one loads an explicit trust anchor, even
if in the "world view" the trust anchor is missing?
I'm afraid I don't understand the question. Could you be more
specific, e.g., by using the above example.com example?
I
On Wed, 26 Jan 2011, p...@mail.nsbeta.info wrote:
Casey Deccio writes:
On Sun, Jan 23, 2011 at 10:30 PM, wrote:
Is there a document for dns & bind best practices?
I googled but found nothing valueable.
NIST SP 800-81 Rev. 1:
http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1
On Tue, 1 Feb 2011, Torinthiel wrote:
To clarify things, I'm using BIND 9.7.2-P2.
First is about input file: you can specify on the command line either the
signed version of the zone, or the unsigned one.
What I'd like to do hovever, is to use both.
The unsigned zone is much more readable, and
On Tue, 15 Mar 2011, Warren Kumari wrote:
After having tried to use the distribution supplied packages (for multiple
distributions) my opinion is that building from source is the right answer for
BIND. The distributions lag more than I'm comfortable with, and BIND builds
cleanly from source w
On Sat, 19 Mar 2011, fakessh @ wrote:
Subject: key DNSKEY for areas zone .eu
hi bind network
hi guru of bind
is there a special key DNSKEY for areas zone .eu
or should we be satisfied keys included in the tarball of bind
There already is a DS record delagation in the root zone, so no
speci
On Wed, 23 Mar 2011, Billy Glynn wrote:
For me, I had the same problem.
I'm running RHEL5, openssl-0.9.8l with the ISC patch and integrating
with the AEP Keyper PKCS#11 lib.
After applying the ISC patch, I found that this worked for me:
# ./Configure linux-elf -m32 -pthread
--pk11-libname=/op
Hi,
Is there a way for bind9 (or planned for bind10) to dynamically update the
forwarders via
rndc? I believe currently the only way to do this is to rewrite the config file
and then
cal rndc reload.
This is not something that lends itself to automating based on a network
manager based
netwo
On Mon, 18 Apr 2011, John Williams wrote:
Subject: DNSSEC, whitehouse, isc, and troubleshooting...
From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag
as expected. I don't see that flag when I query whitehouse.gov (w/ +dnssec)
and I know that zone is signed.
Is
On Tue, 19 Apr 2011, Doug Barton wrote:
I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled
against openssl 1.0.0d not being able to chroot unless they copy
$PREFIX/lib/engines/libgost.so into the chroot environment. Traditionally,
copying libs into the chroot directory has
Hi,
I'm investigating an outage that happened on a bind server. It was
configured as a caching resolving name server. It was forwarding for
one specific zone. This zone had two nameservers/forwarders of which one
at some point was unreachable due to a cable cut. The other nameserver
turned out t
On Mon, 27 Jun 2011, Florian Weimer wrote:
1 Is this problem happening because EDNS failure is not remembered for
forwarders?
There is no realiable way to detect EDNS support in forwarders, so there
isn't anything to remember, really. Sadly, the situation with
authoritative servers is not muc
On Tue, 28 Jun 2011, Cathy Almond wrote:
BIND does take notice of this and it's something we're looking at to
make better in future releases. But at the moment it's not foolproof
and its effectiveness is dependent on circumstances.
There is short term caching of learned 'we don't support EDNS'
On Wed, 17 Aug 2011, Marc Lampo wrote:
It looks like once DNSSEC'd data validates correctly,
that version of Bind will keep reusing that data (until TTL expires).
Or when the RRSIG expiry time is reached, whichever comes first.
While it may make sense, to save on CPU cycles,
I am unsure if t
On Wed, 17 Aug 2011, Marc Lampo wrote:
I did indeed deliberately remove the old DNSKEY,
Before RRSIG's generated with it got expired from the cache.
But to my surprise, the validating caching name server
still replies correctly !
Meaning that that it actually does not re-verify,
once data was f
On Wed, 12 Oct 2011, Niccolò Belli wrote:
Subject: CNAME record for the root of the domain
How to set it?
I know there is a workaround, but I hadn't been able to make it work...
I use bind 9.7.3.
Perhaps you mean DNAME?
http://www.ietf.org/rfc/rfc2672.txt
http://www.informit.com/articles/ar
There have been discussions in the past over this, but we were once again
bitten by this dnssec-signzone bug:
Tue Nov 1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone -C
-u -r /dev/random -t -o openswan.org -f /var/tmp/openswan.org.sign.tmp -i
1296000 -e +2592000 -j 129
On Tue, 1 Nov 2011, Paul Wouters wrote:
There have been discussions in the past over this, but we were once again
bitten by this dnssec-signzone bug:
Tue Nov 1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone
-C -u -r /dev/random -t -o openswan.org -f /var/tmp
On Tue, 1 Nov 2011, Paul Wouters wrote:
There have been discussions in the past over this, but we were once again
bitten by this dnssec-signzone bug:
Tue Nov 1 12:11:28 2011 signDomain: sign command:
/usr/sbin/dnssec-signzone -C -u -r /dev/random -t -o openswan.org -f
/var/tmp
On Wed, 9 Nov 2011, Matus UHLAR - fantomas wrote:
sofia.dashofer.sk. 3600IN TXT
"X-IPsec-Server(10)=@sofia.dashofer.sk" "
AQNqdEjqL33Pf4MFgJYs5v4xRhEPTWouM3Ny1HfcecM+TdX+gpZ2gzIpsmB8UWsUobuJnTSJ
wt2rEw3PcFpuBN3l8F8dAuSWl5lhiojjdenmHf2A6EaqyNTzGJgro9qAMS91DjW4i3HrOAgk" "
Z1sfvkN8
On Sat, 12 Nov 2011, Eduardo Bonsi wrote:
I am trying to DNSSEC validate my external zone bonsi.org but I am hitting a
wall here. This is my first time trying to validate DNSSEC with some obvious
frustration. Maybe some one can point me what I am failing to do here.
As Evan said, your signed
On Tue, 15 Nov 2011, Gaurav Kansal wrote:
When I am query through dig for nkn.in domain without any additional parameter,
It is showing 3 ADDITIONAL records.
And when I am query through dig for same nkn.in domain with +dnssec parameter,
It is showing 4 ADDITIONAL records but there are only 3 a
On Wed, 16 Nov 2011, David Ford wrote:
can we have a paradigm shift from ISC please? instead of falling over
dead with insist/assert, please bleat a warning and drop the problematic
issue on the floor instead and press on with business. many BIND DoS
attacks (and zone typos) are very effective
On Wed, 16 Nov 2011, Stephane Bortzmeyer wrote:
From the reports on this mailing list, it seems there is a new
vulnerability in BIND, actively exploited in the wild. I suggest that
you send a detailed bug report (with the actual log) to ISC
I have not heard this is actually "exploited" versus
On Wed, 16 Nov 2011, David Ford wrote:
ISC have replied and indicated that BIND 10 was designed, with
resilience to abnormal events, in mind. i'm eagerly looking forward to
trying it out now.
i disagree that it's easier to find and fix. many people will simply
wrap it in a while(1) and ignore
On Wed, 16 Nov 2011, Lightner, Jeff wrote:
By "init script" do you mean a script running from inittab doing a respawn? When I see
"init script" I think of scripts run at shutdown and boot in /etc/init.d (or more
accurately in /etc/rc?.d run level directories linked to the scripts in init.d).
On Wed, 16 Nov 2011, Evan Hunt wrote:
The answer is no, to the best of our knowledge at this time, the
bug cannot be triggered before the query ACL has been applied.
This doesn't help, though, because the query can be a perfectly
innocuous one sent by an allowed host. The problem is what was i
On Wed, 30 Nov 2011, Michael Graff wrote:
On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote:
In RHEL there is a RPM package called unuran.
It's a random number generator daemon using either a piece of hardware or
/dev/urandom as source. Running this will provide enough entropy to create lots
On Thu, 1 Dec 2011, Chris Thompson wrote:
I think that because you have told it to inactivate and indeed delete both
ZSKs, in desperation it has signed the whole zone with the the only remaining
key, even though it has the SEP bit set.
The SEP bit does not mean "do not sign zone data". It mean
On Thu, 1 Dec 2011, Michael Graff wrote:
I'm using an Araneus Alea I, from http://www.araneus.fi/products-alea-eng.html.
I'm sure others would work as well. I know the creator of this device
personally though, so it's the one sticking out of the back of the box I own.
:)
At 150 EURO, its
On Thu, 1 Dec 2011, Warren Kumari wrote:
Yeah, a number of motherboards now come with TPMs that include hardware RNGs...
My current personal server (Dell R710) has just such a beastie -- there is some
info here: http://domsch.com/blog/?p=107 and I *think* that the rng-tools
package now suppor
On Wed, 25 Jan 2012, Evan Hunt wrote:
Can I extract the key tag from a DNSKEY, obtained via dig?
"dig +multi" will show it. In BIND 9.9, so will "dig +rrcomments".
While adding options, how about an alias +do for +dnssec ?
Paul
___
Please visit h
Hi,
I'm running into a strange issue where when signing a zone with
re-using signatures, that sometimes 1 RRSIG record ends up with
a validity time of almost nothing. This happens for instance when
signing (and re-using sigs) using "-i 1296000 -e +2592000 -j 2592000"
as part of the dnssec-signz
Hi,
dnssec-signzone incorrectly leaves NSEC records in a zone when "re-using"
the old signed zone when changing from NSEC to NSEC3. The resulting zone
file will contain both NSEC and NSEC3 records.
Paul
___
bind-users mailing list
bind-users@lists.isc
On Fri, 14 Aug 2009, Chris Thompson wrote:
I'm running into a strange issue where when signing a zone with
re-using signatures, that sometimes 1 RRSIG record ends up with
a validity time of almost nothing. This happens for instance when
signing (and re-using sigs) using "-i 1296000 -e +2592000
On Fri, 14 Aug 2009, Evan Hunt wrote:
Im signing more or less hourly. My -i interval says "at least 1296000
seconds in the future" from start date "now - minus 1 hour" (because I
don't use "-s")
Your -i flag says: if you're re-signing a zone that's already signed, any
RRSIGs whose expiry times
On Fri, 14 Aug 2009, Chris Thompson wrote:
So as far as I can tell, I should always be more then fine on the lower
time limit. That's why I'm suspecting a bug in the jitter code.
I think you misunderstand what -i does (or else I do!). If a signature
expires
more than 15 days into the future
On Fri, 14 Aug 2009, Evan Hunt wrote:
But I am getting the error that the signature is *expired*. Not that it is
being replaced because its only valid for 15 days - 1 hour in the future.
It would look that way. I think the message you're seeing comes from here:
vbprintf(2, "\t
On Fri, 14 Aug 2009, Evan Hunt wrote:
The truth is that E is a hard limit, so the range you get is E-J to E.
So, given E = S + 30d, and J = 30d, you're getting expiry times ranging
from S to E.
S, in this case, is an hour in the past. I guess that accounts for the
already-expired signatures y
On Mon, 17 Aug 2009, John Marshall wrote:
named[204]: no valid RRSIG resolving 'cvsup.au.freebsd.org/A/IN':
123.136.33.242#53
What should I do to troubleshoot this if it happens again?
First of all, try and dump the cache, using rndc dumpdb -all. This
gets a snapshot of the current state o
Hi,
May I suggest an improvement in the handling of bind's out of memory
handling when performing *XFR's?
I am talking about these: failed while receiving responses: out of memory
Currently, bind drops the AXFR, and I assume the memory of the failed
partial *XFR'd zone, and tries again. On dedi
On Fri, 11 Sep 2009, Andrews, Harold G CTR USAF HQ AF GCIC/CT wrote:
I’m having a bit of difficulty setting up bind on FC11 (x64) which I’m using in
a standalone
network environment (i.e. no external network connectivity; essentially a
closed dev
network). I loaded the package from Red Hat an
Hi,
When using 9.7.0a3 with dnssec-signzone and PKCS#11, one can use the genkey.sh
as a tool to generate keys. It is however hardcoded to RSASHA1. (We needed
NSECRSASHA1)
The below tiny patch addresses this.
Related, the dnssec-signzone command created a zone with algo 5 DNSKEY's with
NSEC3 re
On Tue, 29 Sep 2009, Chris Thompson wrote:
On Sep 29 2009, Paveza, Gary wrote:
I'm currently working on setting up DNSSEC for all our zones. I have a
question regarding keys. Do you use different ZSK and KSKs for each zone?
Or do you use the same keys for all zones?
You can't really use t
On Wed, 30 Sep 2009, Mark Andrews wrote:
http://www.afnic.fr/outils/zonecheck/_en
The key word is "required". I know some do, I just wish more did.
I for one, welcome our new named-checkzone overlords.
(especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys
and re-use
Hi,
I've been trying to configure bind to use a stub zone, for which I
have keys configured. When I do this, I see a ServFail, with the
logs pointing to:
01-Oct-2009 11:00:03.053 lame-servers: info: not insecure resolving
'xelerance.ca/DNSKEY/IN': 193.110.157.135#53
When I disable the truste
On Fri, 2 Oct 2009, Mark Andrews wrote:
zone "ca." IN {
type stub;
masters { 192.228.22.190; 192.228.22.189; };
};
To make the test signed ca work you need to replace the NS RRet
with the names of the nameservers that serve the signed CA zone.
At the moment you end up with t
On Wed, 23 Dec 2009, Marco Davids wrote:
It seems as if my 'dnssec-signzone' runs on one CPU-core only, where as
I would have expected it to run on all four.
dnssec-signzone first does a lot of preprocessing on one core, before
it finally starts signing with multiple cores. Are you sure it is
On Thu, 28 Jan 2010, prock...@yahoo.com wrote:
So my question is, is there a way through DIG (or some other utility) to
confirm that the parent domain has the DSSET and KEYSET records required to
support the child domain?
http://opensource.iis.se/trac/dnscheck/
$ dnscheck -test=dnssec xeler
On Sat, 6 Feb 2010, Mark Andrews wrote:
We (= me and Paul Wouters) are working on dnssec-conf update. Sorry
for troubles.
The better thing would be a a script to fetch the current keys
nightly, perform a sanity check, then update or inform the administator
and let them update the keys after
On Fri, 19 Feb 2010, Shane W wrote:
algorithm of 1 means use SHA-1 for hashing names; flags of 1 means opt-out
and 0 means no opt-out; iterations indicates how many times to repeat the
Hmm, when attempting to add a nsec3param via nsupdate, I
get:
NSEC only DNSKEYs and NSEC3 chains not allowed
On Tue, 23 Feb 2010, Alan Clegg wrote:
For the record, NIST recommends to roll the ZSK every three months, and
the KSK every two years.
And there are lots of other opinions on this timing as well.
Note that you cannot really talk about rolling key recommendations without
mentioning the key s
On Wed, 24 Feb 2010, Tony Finch wrote:
On Tue, 23 Feb 2010, Joe Baptista wrote:
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed.
It looks pretty lively to me. DNSSEC has multiple interoperable
implementations, and it will be deplo
On Thu, 25 Feb 2010, Evan Hunt wrote:
It's going to be interesting to watch. I guess that depends on if DNSSEC is
turned on by default in BIND. Incidentally - is it?
That depends on what you mean by "turned on". The DNSSEC protocol is
enabled, and the DO bit is set in queries, so authoritativ
On Thu, 25 Feb 2010, Eugene Crosser wrote:
Right now, as far as I am concerned, the main obstacle to more widespread
adoption on DNSSEC is the lack of procedure to establish trust between your zone
and the TLD. Even if my zone is signed, and it's in .org which is signed too, I
have no (googlable
Hi,
What will happen to people who have configured bind 9.6.1 to do
DNSSEC and DLV processing, when SHA256 hashes start appearing?
Will it go to insecure or bogus?
Do we have a problem in a few days?
Paul
___
bind-users mailing list
bind-users@lists
On Wed, 17 Mar 2010, Evan Hunt wrote:
No, not at all. Threaded works fine--I use it myself. It's just a little
touchy about file permissions. On linux, I'm given to understand, a
multi-threaded application can't relinquish its root privileges and then
get them back later if it needs to open a
On Sun, 28 Mar 2010, Nate Itkin wrote:
28-Mar-2010 21:02:27.467 dnssec: warning: client 200.160.7.134#6363: view
external: expected covering NSEC3, got an exact match
The error suggests the following happened. The client asked for something
that did not exist. The server then hashes the hostn
On Mon, 29 Mar 2010, Matthew Pounsett wrote:
On 2010/03/28, at 18:48, Roy Badami wrote:
configured). The queries are resulting in SERVFAIL, and I'm pretty
sure the failures are DNSSEC-related, as when I've seen problems as
they occur (dig failing from the command line) then repeating the
quer
On Tue, 30 Mar 2010, Matthew Pounsett wrote:
named-checkzone doesn't only check the internal consistency of a zone, it also
tries to see that it is externally consistent. e.g. that names referred to in
other zones also exist.
I was amused the day that feature came in without me realising it
On Fri, 16 Apr 2010, Deny IP Any Any wrote:
Do I need to allow UDP/500 packets (ISAKMP) to my bind DNS servers for DNSSEC?
I've been seeing a lot of UDP/500 attempts from the general internet
to my public DNS servers, and can't figure out why. The Wikipedia page
for DNSSEC doesn't mention anyth
On Thu, 22 Apr 2010, Timothe Litt wrote:
I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
configured as valdidating resolvers.
Using dig, I get a connection timeout error after a long (~10 sec) delay.
+cdflag provides an immediate response.
Is anyone else seeing this? I
On Thu, 22 Apr 2010, Chris Thompson wrote:
I have the same problems with our validating unbound instance.
I suspect that this has to do with
dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.
failing with timeouts, while dig +dnssec +n
On Fri, 7 May 2010, Mark Andrews wrote:
Subject: Re: ftp.isc.org is down
There was a fibre cut in the Bay area.
Out of curiosity, how did this affect the DLV? (Not that I noticed any outages
on my servers configured to use the DLV)
Paul
__
On Fri, 28 May 2010, Michelle Konzack wrote:
Hello *;
I am retrying to setup DNSSEC but I have a problem with:
dnssec-keygen -a RSASHA1 b 1024 -n ZONE tamay-dogan.net
because if I issue the command, it waits forever and nothing happen.
What can this be?
Operating System is "Debian GNU/Li
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving* DNSSEC records.
I think you want 'dnssec-validati
On Fri, 4 Jun 2010, Evan Hunt wrote:
I'm pretty sure "dnssec-enable no" does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah, I thought the default changed when all those NAT routers proved buggy.
If it doesn't, though, try "edns no". You can't have a DO bit if you
don't ha
On Mon, 21 Jun 2010, Rok Potočnik wrote:
Anyway.. I found out what the problem is... they don't reply to dnssec
enabled requests...
$ dig +short @ns33.domaincontrol.com. replacementservices.com.
72.32.12.235
$ dig +short +dnssec @ns33.domaincontrol.com. replacementservices.com.
;; connection
On Sun, 27 Jun 2010, Loren M. Lang wrote:
I have read through RFC 4641 and I believe I understand the various key
roll over procedures, but the RFC does not mention the scenario of
adding the DS records to the parent before publishing and/or using the
new KSKs. It is safe to pre-publish new DS
On Fri, 9 Jul 2010, Dave Knight wrote:
Let's say you have 2 nameservers
ns-europe.example.com ( which is physically located in North America )
ns-americas.example.com ( which is physically located in Europe )
and both of those are authoritative for this zone
geoip.exam
On Thu, 22 Jul 2010, Atkins, Brian (GD/VA-NSOC) wrote:
Does anyone know of an existing script or program that can parse a zone
file and verify records against an active server?
named-checkzone these days does some checks unless specified not to do so.
(note to self: dont do that on a 2.5M reco
On Wed, 18 Aug 2010, Casey Deccio wrote:
Using BIND 9.6.2-P2 and 9.7.1.P2 configured for DNSSEC validation with DLV I
experience the following issue. When I
attempt to resolve www.jobcorps.gov I get a SERVFAIL message. The
authoritative servers return an RRSIG covering the
A RR, but the reso
91 matches
Mail list logo
