otography. DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9")->keytag,"\n"'_
22755_
|
|perl -MNet::DNS -MNet::DNS::SEC -e' print
Net::DNS::RR->new("ericgermann.photography. DNSKEY 256 3 15
9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9
Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
Enjoy.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my e
If it is, they have a bug
You might also consider using a different key experimentally, on the off
chance that a wrong keytag bug is data-dependent.
But the most likely scenario is that somehow AWS is generating a DS for
a different key.
I don't use AWS, so that's as fa
8 2
2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D922D1E7FA9|
So, as I concluded, AWS was generating a DS for a different "key". Its
keytag was correct for the data it got.
Glad you got to a solution.
Timothe Litt
ACM Distinguished Engineer
--
This communic
On 29-Dec-22 13:45, Peter wrote:
On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote:
! (Manual processes
! are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 -
! has been so slow is unfortunate.)
Seconded. Do You have information about this moving at all
Apparently I didn't include the DNS script library link mentioned in my
note. Sorry.
https://github.com/srvrco/getssl/tree/master/dns_scripts
On 29-Dec-22 13:45, Peter wrote:
On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote:
! (Manual processes
! are error-prone. That ge
e anything that no complaints are received. Which discourages
adoption, keeps the user base small, validates the "don't do much"
strategy, and - catch-22, DNSSEC doesn't expand beyond the hardcore techies.
The problem is politics, not technology.
Timothe Litt
ACM Distin
re found at the end of the string, e.g., a base 64 string
terminated with "===", the excess pad characters could be ignored.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the ma
ss fields in the records.
https://github.com/tlhackque/certtools has a simple utility called
acme_token_check that does (c) to remove stray ACME records - it shows
how to do the transfer and walk the zone. (And also how to use DNS
UPDATE to maintain it.)
Enjoy.
Timothe Litt
ACM Dist
do the transfer and walk the zone. (And also how to use DNS
UPDATE to maintain it.)
Enjoy.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Descripti
if not a DNS
expert, the easiest diagnostic to use is https://dnsviz.net
It's graphical, detailed and while oriented toward DNSSEC, detects many
other misconfigurations.
Fix the errors and warnings shown at
https://dnsviz.net/d/mofa.gov.bd/dnssec/ and retest.
Timothe Litt
ACM Dist
)
status - list current file
One caution: Do not copy the script using copy & paste; there are places
where
literal tabs and spaces are important. [Some environments have very limited
regexps.]
It's freely redistributable, with the usual caveat that there is no warranty
o
yer [mailto:bortzme...@nic.fr]
Sent: Thursday, September 06, 2012 09:08
To: Timothe Litt
Cc: bind-users@lists.isc.org
Subject: Re: Root hints updates
On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt wrote
a message of 466 lines which said:
> This is a script to automagically update the root
n general, logging is most useful when the data goes to someone who can
do something about it. Logging at the victim is useful for isolating a
problem - but if no-one is actually troubleshooting (and won't), it's
largely wasted.
DNSSEC is another area where issues need to be forwarded to
ike it would be a step up from the current situation.
Today, the lame server logging delivers data to the source about 0% of
the time. If my suggestion increases that to any non-zero number, it
would be an improvement.
Timothe Litt
ACM Distinguished Engineer
--
Thi
nt
it to you folks quite some time ago (and could resend).
Since you're obviously in the code, would you re-consider this? It's
pretty straightforward, it simply selects a subset of the data in the
(then-) existing flow.
Thanks on both counts.
Timothe Litt
ACM Distingui
l the servers going to go down and reboot with the new
config synchronously? What if you have lots of them (e.g. 10s or
100s)? In different admin domains?
As you say, this is an API
Flag days are never fun, and this is avoidable.
Timothe Litt
ACM Distinguished Eng
If you want multiple servers, the second one usually costs less because
you kept all the bootstrapping supplies.
Further discussion should probably find another list...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer&#
(which are DNSSEC signed)
transfer just fine.
Not helpful without my configuration? That's the point. Post yours
with the log messages showing the transfer attempts & failures and maybe
someone (else) will help.
Timothe Litt
ACM Distinguished Engineer
--
This co
ian operations to encourage migration are a lot
larger than they were in years past.
--
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
m a zone file, though
that doesn't seem unreasonable. (E.g. if read from a zone file, pick a
salt, treat the record as if loaded with that value, and do all the
requisite (re-)signing.)
I'm copying bind9-bugs so this doesn't get lost. Please don't copy that
list if you co
On 06-Feb-14 09:14, Klaus Darilion wrote:
On 06.02.2014 14:58, Cathy Almond wrote:
On 06/02/2014 12:58, Timothe Litt wrote:
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone&#
c tcp/udp 10.0.0.1 53 16.123.213.11 53
extendable no-payload )
Otherwise, the router will try to be 'helpful' by modifying the payload
- which breaks quite a few things, and not necessarily in obvious ways.
Timothe Litt
ACM Distinguished Engineer
--
This commun
e. These tend to run themselves. And
they don't use much power, so a fairly inexpensive UPS will keep router,
modem, phone up for many hours.
I ported bind to optware many years ago for this.
And no, I'm not suggesting that bind should be run on your favorite
smartphone...
Timothe Lit
estions on what
should be done more officially/thoroughly. (Including routine builds
during development.)
Including ARM - native and cross-compiled - would support parts of the
community that don't get much attention (nor make much noise.)
Embedded and cross-architecture
this what response rate limiting is for? Given RRL, does this
still make sense?
For the latter, separating the measurement/threshold tuning from the
decision to drop would seem to produce more sensible behavior than
dropping every 5i-th packet. And for it to make any sense at all, it
must be adju
I guess I confuse easily...still Either I don't understand what it's doing,
or I don't understand why it's doing what it is, or what it's doing is
confused.
Sigh.
On 08-Jun-14 14:24, Evan Hunt wrote:
> On Sun, Jun 08, 2014 at 09:45:23AM -0400, Timothe Litt wrote:
>
not there, and until we are, my advice is that
resolvers consult the DLV. It's not perfect, but it's what we have.
See dnssec-deployment for other discussions of this (sometimes
controversial) topic.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not re
On 27-Aug-14 14:54, Doug Barton wrote:
> On 8/26/14 10:35 AM, Timothe Litt wrote:
>> I think this is misleading, or at least poorly worded and subject to
>> misinterpretation.
>
> I chose my words carefully, and I stand by them.
>
The OP was asking about configuring a res
On 27-Aug-14 20:35, Doug Barton wrote:
> On 8/27/14 3:03 PM, Timothe Litt wrote:
>> So you really meant that validating resolvers should only consult DLV if
>> their administrator knows that users are looking-up names that are in
>> the DLV? That's how I read your
On 19-Nov-14 19:03, Graham Clinch wrote:
> Hi Casey & List folks,
>> My apologies - this was actually a bug in DNSViz. The NSEC3 computation
>> was being performed on the wrong name (the wrong origin was being
>> applied). It should be fixed now, as shown in:
>>
>> http://dnsviz.net/d/foo.cnamete
reduces management overhead. I know generating the
hash for that
with openssl isn't fun. But, https://www.huque.com/bin/gen_tlsa is the
easiest way
that I've found to generate TLSA records. And it supports SPKI
selectors... So you might
want to point to it.
I'll try to have a clos
15031503 28800 7200 604800 3600
;; Query time: 7 msec
;; SERVER: 192.168.148.4#53(192.168.148.4)
;; WHEN: Sun Mar 15 07:01:16 EDT 2015
;; MSG SIZE rcvd: 216
I have verified that bind is happy to create and resolve similar names...
Oh, and the third record does resolve, which makes me suspic
nce.
And since there's no problem, they refuse to escalate. I've made an
out-of-band
attempt to get the attention of their management.
FWIW, bind is quite happy to accept these names in a domain where I run
my own
servers.
Timothe Litt
ACM Distinguished Engineer
the code than by experiment.
I think that's conclusive, which is why I stepped into the support
morass. I'm tempted
to move the domain to my own servers, but I really hate to let vendors
get away with
customer-unfriendly support. Other people don't have th
On 20-Aug-15 10:50, /dev/rob0 wrote:
> On Thu, Aug 20, 2015 at 02:07:57PM +0200, Robert Senger wrote:
>> There are a number of providers out there offering secondary
>> dns services for free or for a few bucks/month. Even DNSSEC
>> is possible for free.
> This is good news! I knew there were sever
ize & doing a reconfig to close/reopen the log
file. (In which case, report a bug in the log manager's config -
named's own log file management avoids all those hassles.)
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM
have too many patch
conflicts to resolve. After you've done this once or twice, you'll want
to revisit you need for local changes - either decide they're not that
important, or offer them to ISC. Maintaining a private version is work.
Timothe Litt
ACM Distinguished Engineer
--
ble building with openssl. Make sure that you
have the openssl-dev RPMs installed. Don't try to build that from
source; RedHat heavily patches it & other packages depend on the changes.
Switching to the RedHat version of named may be your best option. This
should not be difficul
f.1.0.0.0.8.1.0.a.2.ip6.arpa//IN':
> 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53
> 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving
> '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN':
> 217.168.153.95#53
>
&g
nssec maintain saves a lot of work, or the next
technology comes along. To misappropriate a K&R quote - "Your constant
is my variable". Or the ever popular "If you don't take the time to do
it right, you'll have to make the time to do it over...and over again".
-- 1.0.1
[New Rules]
If this is correct, the project website for Eagle DNS would appear to
be: http://www.unlogic.se/projects/eagledns
It seems a rather odd choice for a .gov (US Health and Human Services)
owned domain...though one never knows what IT outsourcing will produce :-)
Timothe L
r effort, which may be worthwhile if
it allows you to concentrate on your unique value proposition.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 22-Feb-20 20:25,
Er,
dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>.
is missing a record type. The default is A.
dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>. txt
will likely give you better results
Timothe Litt
ACM Distinguis
he code to
do (TSIG-signed) updates.
As for the next layer - XML or whatever - that's another project. If
you speak Perl, it would not be difficult to wrap Net::DNS to meet your
needs.
P.S. Other than using it (and reporting the occasional bug), I have no
relationship with Net::DNS :-)
Ti
Or any Intel or AMD cpu since ~2015 has
RDRAND/RDSEED.
There are some religious arguments about booby-trapped hardware sources -
these days, kernels will mix all sources, so I don't get too upset. But
YMMV.
Timothe Litt
ACM Distinguished Engineer
--
This communicatio
address other than what you intend. Use -b to explicitly bind to a
particular interface.
(Or, if you use TSIG to match views, -k)
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's vie
onment to the real world...) While full automation can be fun,
it's amazing how much one can get out of a spreadsheet with/autofilter.
(For the next level, pivot tables and/or charts...)
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the
high query rates.
RFC2182 (https://tools.ietf.org/html/rfc2182) is fairly readable and
describes many of the considerations involved in selecting secondary DNS
servers.
DNS appears deceptively simple at first blush. Setting up a serviceable
infrastructure requires an investment of thought and on-go
f you skimp on
that investment, since broken DNS is externally visible - and frequently
catastrophic."
I'll finish with a 1987 quote from Leslie Lamport on distributed
systems, which the DNS most certainly is:
"A distributed system is one in which the failure of a computer you
didn&#x
,
> just trying to understand for future reference.
>
> TIA,
> Tim
DNS is complicated. The scope of an error in a zonefile is hard to
determine.
To avoid this, your automation should use named-checkzone before
releasing a zone file.
This will perform all the checks that na
On 16-Dec-20 13:52, Tim Daneliuk wrote:
> On 12/16/20 12:25 PM, Timothe Litt wrote:
>> On 16-Dec-20 11:37, Tim Daneliuk wrote:
>>> I ran into a situation yesterday which got me pondering something about
>>> bind.
>>>
>>> In this case, a single line i
e.org/web/20201223034301/https://www.zytrax.com/books/dns/>
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 20-Apr-21 19:09, Victoria Risk wrote:
> Ron Aitchinson called me t
the
network (to make DNS queries[no, not named!], including control) - yes:
prefer to keep
FWIW - YMMV.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 29-Apr-21
had only a couple of IPv4 addresses wrong. (Didn't have many
IPv6.) root.hint really IS stable - and so, therefore, are the named
built-ins.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, o
tart a religious war or to prolong the
debate on what ISC does. It assumes BIND won't support windows, that
WSL is imperfect, and that an alternative to complaining might be
helpful... Feel free to s/Linux/(Solaris|FreeBSD|VMS|yourfavorite/g.
I don't have a need for BIND (except the tools)
A fair question for users would be what restart times are acceptable for
their environment - obviously a function of the number and size/content
of zones. And is a restart "all or nothing", or would some
priority/sequencing of zone availability meet requirements?
Timothe Litt
ACM Distinguis
On 10-Sep-21 08:36, Victoria Risk wrote:
>
>
>> On Sep 10, 2021, at 7:24 AM, Timothe Litt > <mailto:l...@acm.org>> wrote:
>>
>> Clearly map format solved a big problem for some users. Asking
>> whether it's OK to drop it with no statement of
at much.
A new memory mapped data structure that didn't require "updating node
pointers" (e.g. that used offsets instead of pointers) may be worth
considering. In current hardware and with a decent compiler and coding,
the apparent cost of this over absolute pointers may well b
On 10-Sep-21 13:11, Evan Hunt wrote:
> Recently a critical bug was discovered in which map files that were
> generated by a previous version of BIND caused a crash in newer versions.
> It took over a month for anybody to report the bug to us, which suggests
> that the number of people willing to pu
n the records.
It's easier, doesn't stop service, and because it automates the
mechanics, safer.
BTW: I recommend using TSIG for authorization with nsupdate rather than
IP addresses.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represen
vers, you need to meet the geographic dispersion rules. At
least 2 servers in two places. That's true no matter what protocols you
use. There are backup DNS services that support IPv6. A free one that
supports both IPv6 and DNSSEC is puck.nether.net/dns.
There are plenty of D
But enough polite requests might help.
Perhaps further discussion of this belongs elsewhere...it seems to be
wandering from BIND.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the
in order. And if it comes to that,
do yourself (and your successors) a favor and document the problem you
encounter and how your solution works...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on
isn't the
right mitigation.
It's important not to jump to conclusions...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: Open
rs are easily
found at less than $20. This may be a better choice than LOC records.
GPS tells you where you are; LOC tells everyone else...
HTH
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on
ly what problem you're asking LOC (or
anything) to solve.
BTW, RFC1876 is worth reading for the suggested search algorithms. I
don't think it ever moved from "experimental", which may be part of why
uptake hasn't been great.
Timothe Litt
ACM Distinguished Engineer
On 01-May-22 05:03, Bob Harold wrote:
On Wed, Apr 13, 2022 at 9:39 AM Bjørn Mork wrote:
Timothe Litt writes:
> Anyhow, it's not clear exactly what problem you're asking LOC (or
> anything) to solve.
Which problems do LOC solve?
I remember adding LOC
the result :-)
Still, overall DNS seems to generate more problems than fun, so if LOC
provides amusement, it's a good thing.
Malheureusement, LOC's practical application remains unclear.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not rep
and at what cost. I don't expect a positive outcome, but
if I'm wrong, by all means post the details.
Since this has indeed come full circle, I'm done.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my em
uot; type static-stub;\n
server-addresses { 127.0.0.1; }; \n}; \n"}' >internal_stub_zones.conf|
will generate the static-stub declarations.
Of course, depending on how you add/remove zones, YMMV.
Timothe Litt
ACM Distinguished Engineer
--
This commun
being defective/compromised...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/mailma
nd match-clients, but those are site-specific.
You can also slave the root zone - that's orthogonal to AD.
I suggest taking one step at a time.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if
On 02-Aug-22 13:18, Peter wrote:
On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
!
! On 02-Aug-22 11:09,bind-users-requ...@lists.isc.org wrote:
!
! > | Before your authoritative view, define a recursive view with the internal
! > ! zones defined as static-stub, match-rec
ns servers, and
client resolvers all on the same page. I'm not holding my breath.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Desc
folks working on dnssec-policy seem to have
been responsive.
FWIW
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signatur
show what happens (if it still does - it could be that the ATT router's
resolver is at fault).
Intermediate step would be to use dig.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on t
Try
echo -e "[main]\ndns=none" > /etc/NetworkManager/conf.d/no-dns.conf
systemctl restart NetworkManager.service
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters dis
agers that I know of aren't in redhat distributions.
You may need to use auditing to identify what is writing the file.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters d
o "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2
exit 1
fi
if [ -z "$IP" ]; then
echo "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2
exit 1
fi
sed -i &q
age you to share it.
Here, or especially if larger, a pointer to one of the usual platforms.
(GitHub, GitLab, sourceforge, etc).
The community works best when everyone contributes what they can.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent
" in selecting a suitable resolver
for an external process. In any case, using "include" in configurations
can help to modularize/isolate the places where IP addresses are used.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not r
Seems to me that if you stick with this, a couple of things are necessary
for manageability:
o Some command to translate a zone file name to a view/zone name, and
vice-versa. That would enable people to debug based on file contents...
o A method to migrate zones from today's 'named.conf-config
I've been running 9.6-ESV-R1 and 9.6.1-P3 with "-DALLOW_INSECURE_TO_SECURE
-DALLOW_SECURE_TO_INSECURE" serving DNSSEC zones on several servers - all
linux, some FC13, others on ARM embedded systems.
Is there any documentation for what I need to do to convert from this
interim dnssec auto-signing m
Thanks - a couple of clarifying questions..
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Monday, September 06, 2010 19:57
To: Timothe Litt
Cc: bind-us...@isc.org
Subject: Re: Upgrading from 9.6 to 9.7
In message , "Timothe Litt"
writ
es:
> I've been running 9.6-ESV-R1
I have 9.7.1-P2 running and since it's supposed to be 'for humans', I guess
I'm trying to determing if I am one. It's not going as well as hoped... :-)
I have a domain - example.net, with two views, the usual 'internal' and
'external'; a third is planned. The master maintaining all the sub-domai
BIND isn't lying about having validated...
Other ideas?
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Thursday, September 09, 2010 22:06
To: Phil Mayers
Cc: bind-us...@isc.org
Subject: Re: DNSSEC, views & trusted keys...
In message <4c891404.3
I have found the statistics channel useful for getting the active zone
configuration - this lets my management GUI autoconfigure validity checks
and pull-down menus for zones. This will be especially helpful when the
dynamic add/delete zone situation is sorted out. But it's useful now
because it
.isc.org
Subject: Re: DNSSEC, views & trusted keys...
On Sep 11, 2010, at 2:34 AM, Phil Mayers wrote:
> On 09/10/2010 11:12 PM, Timothe Litt wrote:
>>
>> So it looks like the new (r-internal) view is starting at the root when
it
>> resolves -- ignoring what it has da
I'm trying to get named and my management tool cooperating
with named on DNSSEC key management.
I'm seeing behavior with auto-signing that doesn't strictly
match the ARM and would like to know what's correct. I'm
also not clear on what named expects for some cases.
4 questions after a little co
I have tried to consolidate the several suggestions for how to configure a
view that would respond with AD to recursive queries for authoritative
zoned.
I don't have a working recipe. I could use some help.
At this point, it looks like the recursive view is still going to the
external nameserv
No. But you can use a public (commercial or non-commerical) secondary DNS
service.
Google "secondary dns" or "free secondary dns". You will find a number of
services and reviews.
Be careful in selecting - many charge or limit you based on the number of
queries and/or zones. QOS and reliablity
YMMV wrt "just works". Yes, running the latest ISC bind can be worthwhile
after the OS distribution stops updating (or before it gets around to
packaging the latest ISC version.)
People considering the approach suggested by David & Alan should be aware
that the OS startup files often do more than
I have domain example.net in production, and have recently acquired
example.us and example.info.
For whatever reason, I want example.us to simply mirror example.net, which
is dynamically udpdated (and dnssec). And I want example.us to be zero
maintenance. (Well, OK I know I need separate DNSSEC k
is no
practical approach. Sigh.
-
This communication may not represent my employer's views,
if any, on the matters discussed.
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Thursday, June 30, 2011 20:58
To: Jo
yer's views,
if any, on the matters discussed.
_
From: Jon F. [mailto:pikel@gmail.com]
Sent: Thursday, June 30, 2011 16:11
To: Timothe Litt
Cc: bind-users@lists.isc.org
Subject: Re: DNAME?
I have a similar set up to that and it works. Have you checked the logs to
make sur
unication may not represent my employer's views,
if any, on the matters discussed.
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Friday, July 01, 2011 21:58
To: Timothe Litt
Cc: 'Jon F.'; bind-us...@isc.org
Subject: Re: DNAME?
When DNAME was be
There are tools for this. E.g. libfaketime
-
This communication may not represent my employer's views,
if any, on the matters discussed.
-Original Message-
From: Phil Mayers [mailto:p.may...@imperial.ac.uk]
Sent: Saturday, Nove
Actually, there's a simpler solution to meeting the rule for 2 NS.
Use any of the secondary nameserver services. The come in a range of
prices/service levels. (Price and delivered service don't always
correlate.) Generally they act as slaves off your master; some are bind
based and use IXFR; ot
I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
configured as valdidating resolvers.
Using dig, I get a connection timeout error after a long (~10 sec) delay.
+cdflag provides an immediate response.
state.gov does not get this error. Note that it uses different nameservers
1 - 100 of 132 matches
Mail list logo
