Re: Funky Key Tag in AWS Route53

2022-12-29 Thread Timothe Litt
otography. DS 22755 8 2 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'_ 22755_ | |perl -MNet::DNS -MNet::DNS::SEC -e' print Net::DNS::RR->new("ericgermann.photography. DNSKEY  256 3 15 9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9

Re: Funky Key Tag in AWS Route53 (2)

2022-12-29 Thread Timothe Litt
Net::DNS::RR->new("ericgermann.photography. DS 22755 8 2 2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"' Enjoy. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my e

Re: Funky Key Tag in AWS Route53 (2)

2022-12-29 Thread Timothe Litt
If it is, they have a bug You might also consider using a different key experimentally, on the off chance that a wrong keytag bug is data-dependent. But the most likely scenario is that somehow AWS is generating a DS for a different key. I don't use AWS, so that's as fa

Re: Funky Key Tag in AWS Route53 (2)

2022-12-29 Thread Timothe Litt
8 2 2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D922D1E7FA9| So, as I concluded, AWS was generating a DS for a different "key".  Its keytag was correct for the data it got. Glad you got to a solution. Timothe Litt ACM Distinguished Engineer -- This communic

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2))

2022-12-29 Thread Timothe Litt
On 29-Dec-22 13:45, Peter wrote: On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote: ! (Manual processes ! are error-prone.  That getting registrars to adopt CDS/CDNSKEY - RFC7344 - ! has been so slow is unfortunate.) Seconded. Do You have information about this moving at all

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

2022-12-29 Thread Timothe Litt
Apparently I didn't include the DNS script library link mentioned in my note.  Sorry. https://github.com/srvrco/getssl/tree/master/dns_scripts On 29-Dec-22 13:45, Peter wrote: On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote: ! (Manual processes ! are error-prone.  That ge

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

2022-12-29 Thread Timothe Litt
e anything that no complaints are received.    Which discourages adoption, keeps the user base small, validates the "don't do much" strategy, and - catch-22, DNSSEC doesn't expand beyond the hardcore techies. The problem is politics, not technology. Timothe Litt ACM Distin

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

2022-12-29 Thread Timothe Litt
re found at the end of the string, e.g., a base 64 string terminated with "===", the excess pad characters could be ignored. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the ma

Re: bind-users Digest, Vol 4302, Issue 1

2023-08-21 Thread Timothe Litt
ss fields in the records. https://github.com/tlhackque/certtools has a simple utility called acme_token_check  that does (c) to remove stray ACME records - it shows how to do the transfer and walk the zone.   (And also how to use DNS UPDATE to maintain it.) Enjoy. Timothe Litt ACM Dist

Re: Zone stats

2023-08-21 Thread Timothe Litt
do the transfer and walk the zone.   (And also how to use DNS UPDATE to maintain it.) Enjoy. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. OpenPGP_signature Descripti

Re: 9.18 BIND not resolving .gov.bd site

2023-10-30 Thread Timothe Litt
if not a DNS expert, the easiest diagnostic to use is https://dnsviz.net It's graphical, detailed and while oriented toward DNSSEC, detects many other misconfigurations. Fix the errors and warnings shown at https://dnsviz.net/d/mofa.gov.bd/dnssec/ and retest. Timothe Litt ACM Dist

Root hints updates

2012-09-06 Thread Timothe Litt
) status - list current file One caution: Do not copy the script using copy & paste; there are places where literal tabs and spaces are important. [Some environments have very limited regexps.] It's freely redistributable, with the usual caveat that there is no warranty o

RE: Root hints updates

2012-09-06 Thread Timothe Litt
yer [mailto:bortzme...@nic.fr] Sent: Thursday, September 06, 2012 09:08 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: Root hints updates On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt wrote a message of 466 lines which said: > This is a script to automagically update the root

Logging

2013-01-08 Thread Timothe Litt
n general, logging is most useful when the data goes to someone who can do something about it. Logging at the victim is useful for isolating a problem - but if no-one is actually troubleshooting (and won't), it's largely wasted. DNSSEC is another area where issues need to be forwarded to

Re: Logging

2013-01-08 Thread Timothe Litt
ike it would be a step up from the current situation. Today, the lame server logging delivers data to the source about 0% of the time. If my suggestion increases that to any non-zero number, it would be an improvement. Timothe Litt ACM Distinguished Engineer -- Thi

Re: BIND 9.9.3b1 is now available

2013-01-25 Thread Timothe Litt
nt it to you folks quite some time ago (and could resend). Since you're obviously in the code, would you re-consider this? It's pretty straightforward, it simply selects a subset of the data in the (then-) existing flow. Thanks on both counts. Timothe Litt ACM Distingui

Re: BIND 9.9.3b1 is now available

2013-01-25 Thread Timothe Litt
l the servers going to go down and reboot with the new config synchronously? What if you have lots of them (e.g. 10s or 100s)? In different admin domains? As you say, this is an API Flag days are never fun, and this is avoidable. Timothe Litt ACM Distinguished Eng

Re: bind-users Digest, Vol 1629, Issue 1

2013-09-19 Thread Timothe Litt
If you want multiple servers, the second one usually costs less because you kept all the bootstrapping supplies. Further discussion should probably find another list... Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer&#

Re: Unable to transfer IPv4 reverse zone

2013-12-19 Thread Timothe Litt
(which are DNSSEC signed) transfer just fine. Not helpful without my configuration? That's the point. Post yours with the log messages showing the transfer attempts & failures and maybe someone (else) will help. Timothe Litt ACM Distinguished Engineer -- This co

Re: Re: Slowing down bind answers ?

2014-01-05 Thread Timothe Litt
ian operations to encourage migration are a lot larger than they were in years past. -- Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.

Re: Re: changing NSEC3 salt

2014-02-06 Thread Timothe Litt
m a zone file, though that doesn't seem unreasonable. (E.g. if read from a zone file, pick a salt, treat the record as if loaded with that value, and do all the requisite (re-)signing.) I'm copying bind9-bugs so this doesn't get lost. Please don't copy that list if you co

Re: Re: changing NSEC3 salt

2014-02-06 Thread Timothe Litt
On 06-Feb-14 09:14, Klaus Darilion wrote: On 06.02.2014 14:58, Cathy Almond wrote: On 06/02/2014 12:58, Timothe Litt wrote: On 06-Feb-14 05:56, Cathy Almond wrote: On 05/02/2014 18:54, David Newman wrote: The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone&#

Re: Re: High recursive client counts

2014-03-26 Thread Timothe Litt
c tcp/udp 10.0.0.1 53 16.123.213.11 53 extendable no-payload ) Otherwise, the router will try to be 'helpful' by modifying the payload - which breaks quite a few things, and not necessarily in obvious ways. Timothe Litt ACM Distinguished Engineer -- This commun

Re: Re: AIX and 9.9.5 compiling

2014-05-09 Thread Timothe Litt
e. These tend to run themselves. And they don't use much power, so a fairly inexpensive UPS will keep router, modem, phone up for many hours. I ported bind to optware many years ago for this. And no, I'm not suggesting that bind should be run on your favorite smartphone... Timothe Lit

Re: Re: AIX and 9.9.5 compiling

2014-05-09 Thread Timothe Litt
estions on what should be done more officially/thoroughly. (Including routine builds during development.) Including ARM - native and cross-compiled - would support parts of the community that don't get much attention (nor make much noise.) Embedded and cross-architecture

Re: Re: "clients-per-query" vs "max-clients-per-query"

2014-06-08 Thread Timothe Litt
this what response rate limiting is for? Given RRL, does this still make sense? For the latter, separating the measurement/threshold tuning from the decision to drop would seem to produce more sensible behavior than dropping every 5i-th packet. And for it to make any sense at all, it must be adju

Re: "clients-per-query" vs "max-clients-per-query"

2014-06-08 Thread Timothe Litt
I guess I confuse easily...still Either I don't understand what it's doing, or I don't understand why it's doing what it is, or what it's doing is confused. Sigh. On 08-Jun-14 14:24, Evan Hunt wrote: > On Sun, Jun 08, 2014 at 09:45:23AM -0400, Timothe Litt wrote: >

Re: Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-26 Thread Timothe Litt
not there, and until we are, my advice is that resolvers consult the DLV. It's not perfect, but it's what we have. See dnssec-deployment for other discussions of this (sometimes controversial) topic. Timothe Litt ACM Distinguished Engineer -- This communication may not re

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-27 Thread Timothe Litt
On 27-Aug-14 14:54, Doug Barton wrote: > On 8/26/14 10:35 AM, Timothe Litt wrote: >> I think this is misleading, or at least poorly worded and subject to >> misinterpretation. > > I chose my words carefully, and I stand by them. > The OP was asking about configuring a res

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

2014-08-28 Thread Timothe Litt
On 27-Aug-14 20:35, Doug Barton wrote: > On 8/27/14 3:03 PM, Timothe Litt wrote: >> So you really meant that validating resolvers should only consult DLV if >> their administrator knows that users are looking-up names that are in >> the DLV? That's how I read your

Re: Re: Wrong NSEC3 for wildcard cname

2014-11-20 Thread Timothe Litt
On 19-Nov-14 19:03, Graham Clinch wrote: > Hi Casey & List folks, >> My apologies - this was actually a bug in DNSViz. The NSEC3 computation >> was being performed on the wrong name (the wrong origin was being >> applied). It should be fixed now, as shown in: >> >> http://dnsviz.net/d/foo.cnamete

Re: BIND DNSSEC Guide draft

2015-01-04 Thread Timothe Litt
reduces management overhead. I know generating the hash for that with openssl isn't fun. But, https://www.huque.com/bin/gen_tlsa is the easiest way that I've found to generate TLSA records. And it supports SPKI selectors... So you might want to point to it. I'll try to have a clos

Of long names...

2015-03-15 Thread Timothe Litt
15031503 28800 7200 604800 3600 ;; Query time: 7 msec ;; SERVER: 192.168.148.4#53(192.168.148.4) ;; WHEN: Sun Mar 15 07:01:16 EDT 2015 ;; MSG SIZE rcvd: 216 I have verified that bind is happy to create and resolve similar names... Oh, and the third record does resolve, which makes me suspic

Re: Of long names...

2015-03-15 Thread Timothe Litt
nce. And since there's no problem, they refuse to escalate. I've made an out-of-band attempt to get the attention of their management. FWIW, bind is quite happy to accept these names in a domain where I run my own servers. Timothe Litt ACM Distinguished Engineer

Re: Of long names...

2015-03-15 Thread Timothe Litt
the code than by experiment. I think that's conclusive, which is why I stepped into the support morass. I'm tempted to move the domain to my own servers, but I really hate to let vendors get away with customer-unfriendly support. Other people don't have th

Re: DNSSEC secondary (free) - Was - Re: Can I run two name servers on one host with two IP addresses?

2015-08-20 Thread Timothe Litt
On 20-Aug-15 10:50, /dev/rob0 wrote: > On Thu, Aug 20, 2015 at 02:07:57PM +0200, Robert Senger wrote: >> There are a number of providers out there offering secondary >> dns services for free or for a few bucks/month. Even DNSSEC >> is possible for free. > This is good news! I knew there were sever

Re: Re: Identify source of "rndc reconfig" command?

2015-08-25 Thread Timothe Litt
ize & doing a reconfig to close/reopen the log file. (In which case, report a bug in the log manager's config - named's own log file management avoids all those hassles.) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM

Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477

2015-09-07 Thread Timothe Litt
have too many patch conflicts to resolve. After you've done this once or twice, you'll want to revisit you need for local changes - either decide they're not that important, or offer them to ISC. Maintaining a private version is work. Timothe Litt ACM Distinguished Engineer --

Re: Install BIND 9.9.7-P2 to fix vulnerability CVE-2015-5477

2015-09-08 Thread Timothe Litt
ble building with openssl. Make sure that you have the openssl-dev RPMs installed. Don't try to build that from source; RedHat heavily patches it & other packages depend on the changes. Switching to the RedHat version of named may be your best option. This should not be difficul

Re: Re: intermittent SERVFAIL with a DLV domain

2015-12-24 Thread Timothe Litt
f.1.0.0.0.8.1.0.a.2.ip6.arpa//IN': > 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53 > 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving > '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN': > 217.168.153.95#53 > &g

Re: Writeable file already in use

2016-01-05 Thread Timothe Litt
nssec maintain saves a lot of work, or the next technology comes along. To misappropriate a K&R quote - "Your constant is my variable". Or the ever popular "If you don't take the time to do it right, you'll have to make the time to do it over...and over again".

Re: Re: DNSSEC validation failures for www.hrsa.gov

2016-06-25 Thread Timothe Litt
-- 1.0.1 [New Rules] If this is correct, the project website for Eagle DNS would appear to be: http://www.unlogic.se/projects/eagledns It seems a rather odd choice for a .gov (US Health and Human Services) owned domain...though one never knows what IT outsourcing will produce :-) Timothe L

Re: Advice on balancing web traffic using geoip ACls

2020-02-23 Thread Timothe Litt
r effort, which may be worthwhile if it allows you to concentrate on your unique value proposition. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 22-Feb-20 20:25,

Re: with dot in NAME for ACME via dynamic update (Axel Rau)

2020-03-14 Thread Timothe Litt
Er, dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>. is missing a record type.  The default is A. dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>. txt will likely give you better results Timothe Litt ACM Distinguis

Re: Machine friendly alternative to nsupdate

2020-04-01 Thread Timothe Litt
he code to do (TSIG-signed) updates. As for the next layer - XML or whatever - that's another project.  If you speak Perl, it would not be difficult to wrap Net::DNS to meet your needs. P.S. Other than using it (and reporting the occasional bug), I have no relationship with Net::DNS :-) Ti

Re: DNSSEC - many doubts

2020-04-03 Thread Timothe Litt
  Or any Intel or AMD cpu since ~2015 has RDRAND/RDSEED. There are some religious arguments about booby-trapped hardware sources - these days, kernels will mix all sources, so I don't get too upset.  But YMMV. Timothe Litt ACM Distinguished Engineer -- This communicatio

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Timothe Litt
address other than what you intend.  Use -b to explicitly bind to a particular interface. (Or, if you use TSIG to match views, -k) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's vie

Re: Request for review of performance advice

2020-07-10 Thread Timothe Litt
onment to the real world...)  While full automation can be fun, it's amazing how much one can get out of a spreadsheet with/autofilter.  (For the next level, pivot tables and/or charts...) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the

Re: How can I launch a private Internet DNS server?

2020-11-07 Thread Timothe Litt
high query rates. RFC2182 (https://tools.ietf.org/html/rfc2182) is fairly readable and describes many of the considerations involved in selecting secondary DNS servers.  DNS appears deceptively simple at first blush.  Setting up a serviceable infrastructure requires an investment of thought and on-go

Re: [External] Re: How can I launch a private Internet DNS server?

2020-11-08 Thread Timothe Litt
f you skimp on that investment, since broken DNS is externally visible - and frequently catastrophic." I'll finish with a 1987 quote from Leslie Lamport on distributed systems, which the DNS most certainly is: "A distributed system is one in which the failure of a computer you didn&#x

Re: How Zone Files Are Read

2020-12-16 Thread Timothe Litt
, > just trying to understand for future reference. > > TIA, > Tim DNS is complicated.  The scope of an error in a zonefile is hard to determine. To avoid this, your automation should use named-checkzone before releasing a zone file. This will perform all the checks that na

Re: How Zone Files Are Read

2020-12-16 Thread Timothe Litt
On 16-Dec-20 13:52, Tim Daneliuk wrote: > On 12/16/20 12:25 PM, Timothe Litt wrote: >> On 16-Dec-20 11:37, Tim Daneliuk wrote: >>> I ran into a situation yesterday which got me pondering something about >>> bind. >>> >>> In this case, a single line i

Re: Status of zytrax.com "DNS for Rocket Scientists" website

2021-04-21 Thread Timothe Litt
e.org/web/20201223034301/https://www.zytrax.com/books/dns/> Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 20-Apr-21 19:09, Victoria Risk wrote: > Ron Aitchinson called me t

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

2021-04-29 Thread Timothe Litt
the network (to make DNS queries[no, not named!], including control) - yes: prefer to keep FWIW - YMMV. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 29-Apr-21

Re: root.hints - apparmor access error with Bind from PPA

2021-06-04 Thread Timothe Litt
had only a couple of IPv4 addresses wrong.  (Didn't have many IPv6.)  root.hint really IS stable - and so, therefore, are the named built-ins. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, o

Re: RE: No more support for windows

2021-06-10 Thread Timothe Litt
tart a religious war or to prolong the debate on what ISC does.  It assumes BIND won't support windows, that WSL is imperfect, and that an alternative to complaining might be helpful...  Feel free to s/Linux/(Solaris|FreeBSD|VMS|yourfavorite/g. I don't have a need for BIND (except the tools)

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
A fair question for users would be what restart times are acceptable for their environment - obviously a function of the number and size/content of zones.  And is a restart "all or nothing", or would some priority/sequencing of zone availability meet requirements? Timothe Litt ACM Distinguis

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
On 10-Sep-21 08:36, Victoria Risk wrote: > > >> On Sep 10, 2021, at 7:24 AM, Timothe Litt > <mailto:l...@acm.org>> wrote: >> >> Clearly map format solved a big problem for some users.  Asking >> whether it's OK to drop it with no statement of

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
at much. A new memory mapped data structure that didn't require "updating node pointers" (e.g. that used offsets instead of pointers) may be worth considering.  In current hardware and with a decent compiler and coding, the apparent cost of this over absolute pointers may well b

Re: Notice of plan to deprecate map zone file format

2021-09-10 Thread Timothe Litt
On 10-Sep-21 13:11, Evan Hunt wrote: > Recently a critical bug was discovered in which map files that were > generated by a previous version of BIND caused a crash in newer versions. > It took over a month for anybody to report the bug to us, which suggests > that the number of people willing to pu

Re: Freezing a Zone vs. Stopping the DNS Server

2021-09-29 Thread Timothe Litt
n the records.  It's easier, doesn't stop service, and because it automates the mechanics, safer. BTW: I recommend using TSIG for authorization with nsupdate rather than IP addresses. Timothe Litt ACM Distinguished Engineer -- This communication may not represen

Re: ipv6 adoption

2022-02-16 Thread Timothe Litt
vers, you need to meet the geographic dispersion rules.  At least 2 servers in two places.  That's true no matter what protocols you use.  There are backup DNS services that support IPv6.  A free one that supports both IPv6 and DNSSEC is puck.nether.net/dns. There are plenty of D

Re: ipv6 adoption (HE & DNSSEC)

2022-02-17 Thread Timothe Litt
   But enough polite requests might help. Perhaps further discussion of this belongs elsewhere...it seems to be wandering from BIND. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the

Re: freebsd ipfw question

2022-02-18 Thread Timothe Litt
in order.  And if it comes to that, do yourself (and your successors) a favor and document the problem you encounter and how your solution works... Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on

Re: freebsd ipfw question

2022-02-21 Thread Timothe Litt
isn't the right mitigation. It's important not to jump to conclusions... Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. OpenPGP_signature Description: Open

Re: Supporting LOC RR's

2022-04-12 Thread Timothe Litt
rs are easily found at less than $20.  This may be a better choice than LOC records.  GPS tells you where you are; LOC tells everyone else... HTH Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on

Re: Supporting LOC RR's

2022-04-12 Thread Timothe Litt
ly what problem you're asking LOC (or anything) to solve. BTW, RFC1876 is worth reading for the suggested search algorithms.  I don't think it ever moved from "experimental", which may be part of why uptake hasn't been great. Timothe Litt ACM Distinguished Engineer

Re: Supporting LOC RR's

2022-05-02 Thread Timothe Litt
On 01-May-22 05:03, Bob Harold wrote: On Wed, Apr 13, 2022 at 9:39 AM Bjørn Mork wrote: Timothe Litt writes: > Anyhow, it's not clear exactly what problem you're asking LOC (or > anything) to solve. Which problems do LOC solve? I remember adding LOC

Re: Supporting LOC RR's

2022-05-02 Thread Timothe Litt
the result :-) Still, overall DNS seems to generate more problems than fun, so if LOC provides amusement, it's a good thing. Malheureusement, LOC's practical application remains unclear. Timothe Litt ACM Distinguished Engineer -- This communication may not rep

Re: Supporting LOC RR's

2022-05-13 Thread Timothe Litt
and at what cost.  I don't expect a positive outcome, but if I'm wrong, by all means post the details. Since this has indeed come full circle, I'm done. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my em

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-02 Thread Timothe Litt
uot; type static-stub;\n  server-addresses { 127.0.0.1; };  \n}; \n"}' >internal_stub_zones.conf| will generate the static-stub declarations. Of course, depending on how you add/remove zones, YMMV. Timothe Litt ACM Distinguished Engineer -- This commun

Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

2022-08-02 Thread Timothe Litt
being defective/compromised... Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. OpenPGP_signature Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailma

Re: bind-users Digest, Vol 4031, Issue 3

2022-08-02 Thread Timothe Litt
nd match-clients, but those are site-specific. You can also slave the root zone - that's orthogonal to AD. I suggest taking one step at a time. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-02 Thread Timothe Litt
On 02-Aug-22 13:18, Peter wrote: On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote: ! ! On 02-Aug-22 11:09,bind-users-requ...@lists.isc.org wrote: ! ! > | Before your authoritative view, define a recursive view with the internal ! > ! zones defined as static-stub, match-rec

Re: RE: DNSSEC adoption

2022-08-02 Thread Timothe Litt
ns servers, and client resolvers all on the same page.  I'm not holding my breath. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. OpenPGP_signature Desc

Re: DNSSEC adoption

2022-08-03 Thread Timothe Litt
folks working on dnssec-policy seem to have been responsive. FWIW Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. OpenPGP_signature Description: OpenPGP digital signatur

,Re: caching does not seem to be working for internal view

2022-08-03 Thread Timothe Litt
show what happens (if it still does - it could be that the ATT router's resolver is at fault). Intermediate step would be to use dig. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on t

Re: ,Re: caching does not seem to be working for internal view

2022-08-03 Thread Timothe Litt
Try echo -e "[main]\ndns=none" > /etc/NetworkManager/conf.d/no-dns.conf systemctl restart NetworkManager.service Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters dis

Re: ,Re: caching does not seem to be working for internal view

2022-08-03 Thread Timothe Litt
agers that I know of aren't in redhat distributions. You may need to use auditing to identify what is writing the file. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters d

Re: parental-agents clause - IP address only ?

2022-12-05 Thread Timothe Litt
o "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2     exit 1     fi     if [ -z "$IP" ]; then     echo "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2         exit 1     fi     sed -i &q

Re: parental-agents clause - IP address only ?

2022-12-05 Thread Timothe Litt
age you to share it. Here, or especially if larger, a pointer to one of the usual platforms. (GitHub, GitLab, sourceforge, etc). The community works best when everyone contributes what they can. Timothe Litt ACM Distinguished Engineer -- This communication may not represent

Re: parental-agents clause - IP address only ?

2022-12-06 Thread Timothe Litt
" in selecting a suitable resolver for an external process.  In any case, using "include" in configurations can help to modularize/isolate the places where IP addresses are used. Timothe Litt ACM Distinguished Engineer -- This communication may not r

RE: rndc addzone/delzone in 9.7.2rc1 (was: rndc reconfig delays)

2010-08-28 Thread Timothe Litt
Seems to me that if you stick with this, a couple of things are necessary for manageability: o Some command to translate a zone file name to a view/zone name, and vice-versa. That would enable people to debug based on file contents... o A method to migrate zones from today's 'named.conf-config

Upgrading from 9.6 to 9.7

2010-09-06 Thread Timothe Litt
I've been running 9.6-ESV-R1 and 9.6.1-P3 with "-DALLOW_INSECURE_TO_SECURE -DALLOW_SECURE_TO_INSECURE" serving DNSSEC zones on several servers - all linux, some FC13, others on ARM embedded systems. Is there any documentation for what I need to do to convert from this interim dnssec auto-signing m

RE: Upgrading from 9.6 to 9.7

2010-09-06 Thread Timothe Litt
Thanks - a couple of clarifying questions.. From: Mark Andrews [mailto:ma...@isc.org] Sent: Monday, September 06, 2010 19:57 To: Timothe Litt Cc: bind-us...@isc.org Subject: Re: Upgrading from 9.6 to 9.7 In message , "Timothe Litt" writ es: > I've been running 9.6-ESV-R1

DNSSEC, views & trusted keys...

2010-09-09 Thread Timothe Litt
I have 9.7.1-P2 running and since it's supposed to be 'for humans', I guess I'm trying to determing if I am one. It's not going as well as hoped... :-) I have a domain - example.net, with two views, the usual 'internal' and 'external'; a third is planned. The master maintaining all the sub-domai

RE: DNSSEC, views & trusted keys...

2010-09-10 Thread Timothe Litt
BIND isn't lying about having validated... Other ideas? -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Thursday, September 09, 2010 22:06 To: Phil Mayers Cc: bind-us...@isc.org Subject: Re: DNSSEC, views & trusted keys... In message <4c891404.3

Statistics channel patch

2010-09-13 Thread Timothe Litt
I have found the statistics channel useful for getting the active zone configuration - this lets my management GUI autoconfigure validity checks and pull-down menus for zones. This will be especially helpful when the dynamic add/delete zone situation is sorted out. But it's useful now because it

RE: DNSSEC, views & trusted keys...

2010-09-14 Thread Timothe Litt
.isc.org Subject: Re: DNSSEC, views & trusted keys... On Sep 11, 2010, at 2:34 AM, Phil Mayers wrote: > On 09/10/2010 11:12 PM, Timothe Litt wrote: >> >> So it looks like the new (r-internal) view is starting at the root when it >> resolves -- ignoring what it has da

Auto signing & ARM

2010-09-20 Thread Timothe Litt
I'm trying to get named and my management tool cooperating with named on DNSSEC key management. I'm seeing behavior with auto-signing that doesn't strictly match the ARM and would like to know what's correct. I'm also not clear on what named expects for some cases. 4 questions after a little co

RE: DNSSEC, views & trusted keys...episode 43

2010-11-01 Thread Timothe Litt
I have tried to consolidate the several suggestions for how to configure a view that would respond with AD to recursive queries for authoritative zoned. I don't have a working recipe. I could use some help. At this point, it looks like the recursive view is still going to the external nameserv

RE: can I set the second nameserver to a public dns cache?

2011-03-28 Thread Timothe Litt
No. But you can use a public (commercial or non-commerical) secondary DNS service. Google "secondary dns" or "free secondary dns". You will find a number of services and reviews. Be careful in selecting - many charge or limit you based on the number of queries and/or zones. QOS and reliablity

RE: start script for bind9

2011-04-14 Thread Timothe Litt
YMMV wrt "just works". Yes, running the latest ISC bind can be worthwhile after the OS distribution stops updating (or before it gets around to packaging the latest ISC version.) People considering the approach suggested by David & Alan should be aware that the OS startup files often do more than

DNAME?

2011-06-30 Thread Timothe Litt
I have domain example.net in production, and have recently acquired example.us and example.info. For whatever reason, I want example.us to simply mirror example.net, which is dynamically udpdated (and dnssec). And I want example.us to be zero maintenance. (Well, OK I know I need separate DNSSEC k

RE: DNAME?

2011-07-01 Thread Timothe Litt
is no practical approach. Sigh. - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Thursday, June 30, 2011 20:58 To: Jo

RE: DNAME?

2011-07-01 Thread Timothe Litt
yer's views, if any, on the matters discussed. _ From: Jon F. [mailto:pikel@gmail.com] Sent: Thursday, June 30, 2011 16:11 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: DNAME? I have a similar set up to that and it works. Have you checked the logs to make sur

RE: DNAME?

2011-07-02 Thread Timothe Litt
unication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Friday, July 01, 2011 21:58 To: Timothe Litt Cc: 'Jon F.'; bind-us...@isc.org Subject: Re: DNAME? When DNAME was be

RE: Exercising RFC 5011 rollovers

2011-11-26 Thread Timothe Litt
There are tools for this. E.g. libfaketime - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Saturday, Nove

RE: Re: .TLD minimum number of nameservers rule

2011-12-13 Thread Timothe Litt
Actually, there's a simpler solution to meeting the rule for 2 NS. Use any of the secondary nameserver services. The come in a range of prices/service levels. (Price and delivered service don't always correlate.) Generally they act as slaves off your master; some are bind based and use IXFR; ot

Resolving .gov w/dnssec

2010-04-22 Thread Timothe Litt
I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV configured as valdidating resolvers. Using dig, I get a connection timeout error after a long (~10 sec) delay. +cdflag provides an immediate response. state.gov does not get this error. Note that it uses different nameservers

  1   2   >