On Thu, Oct 11, 2018, at 3:51 PM, Viktor Dukhovni wrote:
> Check the user "named" runs as after chroot and dropping privs has
> write permissions to update the root trust-anchor file (may need
> write permissions to the containing directory to make the update
> atomic).
thanks! I _think_ I'm set
On Thu, Oct 11, 2018 at 03:44:56PM -0700, pg...@dev-mail.net wrote:
> resolver's up, running & working now, as least as verified with the usual
>
> dig @127.0.0.1 dnssec-failed.org a +dnssec
>
> not clear if all of that^ was needed, but it apparently did the trick.
>
> thanks all.
Check the
On Thu, Oct 11, 2018, at 2:33 PM, Bill Cole wrote:
> > Isn't 'hardwired' here afaict. Looking at the ICANN site -- again --
> > is probably best advice.
>
> Since you're running BIND, https://kb.isc.org/docs/aa-01182 might be
> more specifically helpful, although I'm not sure that you can recov
On 11 Oct 2018, at 14:07, pg...@dev-mail.net wrote:
Isn't 'hardwired' here afaict. Looking at the ICANN site -- again --
is probably best advice.
Since you're running BIND, https://kb.isc.org/docs/aa-01182 might be
more specifically helpful, although I'm not sure that you can recover
from t
> On 11 Oct 2018, at 19:07, pg...@dev-mail.net wrote:
>
>> The switch to the new KSK seems the most likely cause, assuming DNSSEC
>> validation always worked for you before then.
>
> It's been 'working' for ages. Yes, I could have been 'just lucky for a long
> time'.
DNSSEC is very brittl
On Thu, Oct 11, 2018, at 11:03 AM, Jamie Nelson wrote:
> https://www.icann.org/dns-resolvers-checking-current-trust-anchors
was JUST looking for that! thx.
On Thu, Oct 11, 2018, at 10:58 AM, Viktor Dukhovni wrote:
> This does not look like a forwarder problem, your own trusted key
> list is not up to date. Either it is manually maintained, or
> automated updates are failing (perhaps permission problems to update
> the files, the keys need to be wr
On Thu, Oct 11, 2018, at 10:53 AM, Jim Reid wrote:
> Although switching off DNSSEC validation will keep the mail flowing, it
> only kludges around the underlying problem. Which might or might not be
> related to the rollover of the root KSK a few hours ago. It’s hard to
> tell from the inform
This may help
https://www.icann.org/dns-resolvers-checking-current-trust-anchors
Jamie
October 11, 2018 11:59 AM, "Viktor Dukhovni" wrote:
> On Thu, Oct 11, 2018 at 10:27:57AM -0700, pg...@dev-mail.net wrote:
>
>> Can you comment just a bit further on 'ready'?
>
> By "ready" I mean that it
On Thu, Oct 11, 2018 at 10:27:57AM -0700, pg...@dev-mail.net wrote:
> Can you comment just a bit further on 'ready'?
By "ready" I mean that it has a working "rfc5011" key rollover
implementation, and so has already long added KSK2017 to its list
of root trust anchors. Or alternatively, that some
On 11 Oct 2018, at 18:27, pg...@dev-mail.net wrote:
>
> Changing my local dns (named) config to
>
> - dnssec-enable yes;
> + dnssec-enable no;
> dnssec-lookaside no;
> - dnssec-validation yes;
> + dnssec-validation no;
>
> ge
On Thu, Oct 11, 2018, at 9:40 AM, Viktor Dukhovni wrote:
> On Thu, Oct 11, 2018 at 11:24:13AM -0400, Viktor Dukhovni wrote:
>
> > In case you've not seen this many other places, just a friendly
> > reminder that ICANN is rolling the DNSSEC root KSK today. Make
> > sure your resolver (if it is
On Thu, Oct 11, 2018 at 11:24:13AM -0400, Viktor Dukhovni wrote:
> In case you've not seen this many other places, just a friendly
> reminder that ICANN is rolling the DNSSEC root KSK today. Make
> sure your resolver (if it is validating) is ready. If you're
> forwarding queries to an upstream r
In case you've not seen this many other places, just a friendly
reminder that ICANN is rolling the DNSSEC root KSK today. Make
sure your resolver (if it is validating) is ready. If you're
forwarding queries to an upstream resolver, you might also check
that the upstream is ready.
--
V
14 matches
Mail list logo
