hidden primary can not sign. can the public primary which fetches from
it, and happens to be primary for the parent zone, do bitw signing?
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support
hi mark
>> hidden primary can not sign. can the public primary which fetches
>> from it, and happens to be primary for the parent zone, do bitw
>> signing?
>
> In-line signing is the concept you are looking for and yes named
> supports it.
i know bind9 does bitw. happy to learn it is called in
is there a known hack to extract keys from opendnssec/openhsm to use for
bind bitw inline-signing?
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://ww
>> is there a known hack to extract keys from opendnssec/openhsm to use for
>> bind bitw inline-signing?
>
> Assuming you mean SoftHSM
sorry, my bad. first cuppa.
> I don't think so, at least not when using its default settings. (That
> is one of the main features of an HSM -- to keep the keys
> Can you share a bit about why you want to get out of using
> opendnssec/openhsm?
i need bind bitw for other zones. so two methods, one with a lot of
moving parts, ...
> I would regard this as an opportunity to test key rollover with your
> parent zone :-)
i have plenty of bullets and only two
> If you have a true duplicate you only need to answer it once otherwise
> you have different clients and you need to answer all of them. Note
> there can be multiple clients on the same address.
i gotta ask.
so, for address foux, how do i know if there is one client or more than
one?
randy
--
have spent a bit searching but no result. so ...
can i use an acl{} or other macro in `also-notify`? i have a bunch of
zones where i want the same `also-notify` list.
thanks
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the developm
> I admit here we most often work with internal only forwarders, which
> are not accessible from outer internet. So those won't be under attack
i am always impressed by security optiism
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the
FreeBSD 13.2-RELEASE-p10 amd64
bind 9.16.48
softhsm-1.3.8 (yes, i know)
opendnssec 2.1.13
moon in klutz
been running opendnssec, and trying to move to bind inline-signing
in the hope of making it more readable, the sad story is at
https://git.rg.net/randy/randy/src/master/scratch.md
thanks for a
> You DS and DNSKEY rrset are not matched. You
> need to publish the DS for the DNSKEY with key
> tag 3463.
>
> rg.net. 86256 IN DS 12391 8 2
> 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9
>
> rg.net. 3463 IN DNSKEY 256 3 8 (
> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV
>
[ off list ]
> I couldn't help noticing that when you ran dnssec-dsfromkey you
> referenced this directory: /usr/home/dns/Fixed
nah. i have multiple copies so i can `rsync` them to refresh.
i am getting closer. as mark pointed in the direction, i found that the
keys produced by the extraction
FreeBSD 12.2-RELEASE-p6 GENERIC on amd64
bind 9.16.19 from binary ports
ok, i was quietly waiting for a fix to magically appear and is hasn't.
i am getting 10-20 crashes a day on each of two servers. it is not
leaving disk flowers; and i see no config option to encourage it to do
so.
randy
---
> Presumably you are running with `named -u`
# grep named /etc/rc.conf
named_enable=YES
named_program=/usr/local/sbin/named
named_conf=/usr/home/dns/named.conf
named_chrootdir=""
named_chroot_autoupdate=NO
named_uid=bind
named_gid=bind
named_wait=YES
named_a
for some reason lost in time, i have the following in `/etc/ipfw.rules`
on a freebsd system running bind9
add allow tcp from any to me 53 limit src-addr 1 setup
add deny tcp from any to me 53
the results are
01000 48358531 6390772849 allow tcp from any to me 53 setup limit
src-ad
> for some reason lost in time, i have the following in `/etc/ipfw.rules`
> on a freebsd system running bind9
>
> add allow tcp from any to me 53 limit src-addr 1 setup
> add deny tcp from any to me 53
and now i know why
# lsof -i :53
COMMAND PID USER FD TYPE DEVICE SIZ
sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/conta
> TLD Signed? Comments
> -----
> google.comno
> gmail.com no
> youtube.com no
> apple.com no
> microsoft.com no
> amazon.comno
> walmart.com no
> outlook.com no
> 1e100.net no
> facebook.com no
> twitter.com no
> instagram.com
>> my guess is that they see dnssec as fragile, have not seen _costly_
>> dns subversion, and measure a dns outages in thousands of dollars a
>> minute.
> No one wants to be this guy:
> http://www.dnssec.comcast.net/DNSSEC_Validation_Failure_NASAGOV_20120118_FINAL.pdf
so, to me, a crucial question
an ancient csh script named `doc` used to be guiltily associated with
bind. i can no longer find it. i have 2.2.3 from 2001.07.25. anyone
know the whereabouts of anything more recent? 2.2.3 has a little bugy
on macos vnetura.
randy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
[ pulls head out of sand ]
so, i guess there is a named tcp dos going around. using bind9, is
there an amelioration? or am i misconfigured in some way?
randy
Jul 29 14:07:26 rip named[4146]: 29-Jul-2018 14:07:26.428 client: warning:
client 67.205.183.100#60084: no more TCP clients: quota rea
> mdig @147.28.0.39 -f queries.txt
>
> queries.txt contains 40x
> switch.ch A
>
> I would suggest something like this:
>
> rate-limit {
>// start rate-limiting if more then X identical
>// responses per second, default 0 i.e. unlimited
>responses-per-second 25;
>nxdomains-per-sec
>> ... are there that many folk doing tcp out there?
> All name servers fall back to TCP when they receive truncated replies.
we know the protocol. [ and we know folk have idiot middleboxen ]
what i was asking was the distribution of this in the wild.
randy
_
... are there that many folk doing tcp out there?
>>> All name servers fall back to TCP when they receive truncated replies.
>>
>> we know the protocol. [ and we know folk have idiot middleboxen ]
>>
>> what i was asking was the distribution of this in the wild
>
> one word: DNSSEC
i.e. i
>> estimate or measure the distribution of the ratio of udp to tcp
>> queries on say 100 cctld servers
>
> bla - 512 bytes are easily exceeded
>
> more than 10 years ago i also thought i am smart and TCP 53 is only
> needed for zone-transfers until i realized that random e-mail errors
> where the
> ... are there that many folk doing tcp out there?
All name servers fall back to TCP when they receive truncated
replies.
>>>
>>> we know the protocol. [ and we know folk have idiot middleboxen ]
>>>
>>> what i was asking was the distribution of this in the wild
>>
>> one word: D
> We run about 300 TLD's on our DNS platform and get roughly 5-10% TCP
> queries.
that is quite a variance
> In comparison, we get about 25-30% IPv6 queries.
wonder how that compares to others
thanks for actual data
randy
___
Please visit https://lis
> We have slightly less then 25% for IPv6 queries.
> And about 4-5% TCP queries.
considering we share the load of the same non-trivial signed cctld, i
should be seeing similarly. though i am sure both of us serve a few
more . and tony and hugo (the latter privately) are seeing similar,
though ma
27 matches
Mail list logo
