Re: [CentOS] DNSSEC Questions

2019-02-15 Thread Gordon Messmer
On 2/12/19 11:49 PM, Paul R. Ganci wrote: Okay so I misunderstood the message I was getting when I checked my DNSSEC setup via http://dnsviz.net/. What you are telling me is that all I had to do was re-sign the zone files but that it was not necessary to generate new keys. This point is definit

Re: [CentOS] DNSSEC Questions

2019-02-13 Thread Paul R. Ganci
On 2/13/19 3:51 AM, Alice Wonder wrote: I see you are using algorithm 7 - I would recommend switching to either algorithm 13 or at least to 8. Algorithm 7 uses a SHA1 hash. See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04 That's a draft but soon will be an update to the st

Re: [CentOS] DNSSEC Questions

2019-02-13 Thread Alice Wonder
On 2/12/19 11:49 PM, Paul R. Ganci wrote: On 2/12/19 10:55 PM, Alice Wonder wrote: DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure.

Re: [CentOS] DNSSEC Questions

2019-02-12 Thread Paul R. Ganci
On 2/12/19 10:55 PM, Alice Wonder wrote: DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure. The keys are in DNSSKEY records that are

Re: [CentOS] DNSSEC Questions

2019-02-12 Thread Alice Wonder
On 2/12/19 7:26 PM, Paul R. Ganci wrote: Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is

Re: [CentOS] DNSSEC

2010-05-02 Thread Nataraj
Nataraj wrote: > m.r...@5-cent.us wrote: > >> Well, folks, >> >>There's an article on slashdot, >> >> >> Excerpt: >> ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will >> be rolled out across all 13 root serv

Re: [CentOS] DNSSEC

2010-05-01 Thread Nataraj
m.r...@5-cent.us wrote: > Well, folks, > >There's an article on slashdot, > > > Excerpt: > ...the coming milestone of May 5, at 17:00 UTC --- at this time DNSSEC will > be rolled out across all 13 root servers. Some Internet users, espe

Re: [CentOS] DNSSEC

2010-04-30 Thread m . roth
Drew wrote: > Behalf Of m.r...@5-cent.us > Sent: Friday, April 30, 2010 1:07 PM > >>There's an article on slashdot, >> > >> Excerpt: >> ...the coming milestone of May 5, at 17:00 UTC - at this time DNSSEC will >> be rolled out across a

Re: [CentOS] DNSSEC

2010-04-30 Thread Drew Weaver
Hi, It's enabled by default if BIND is the right version nothing needs to be done. I found it kind of sad that the version of BIND that comes with the latest version of CentOS 4 is so old that it doesn't support DNSSEC. thanks, -Drew XLHost.com -Original Message- From: centos-boun...@ce