Al,
On 3/4/24 17:15, Al Whaley wrote:
Matthij, Petr,
Thanks for responding.
I am trying to make the case that one can NOT do the same things with
'lifetime unlimited'. One can do some of the same positive things, but
only if conditions are just right, and one cannot block the negative
Matthij, Petr,
Thanks for responding.
I am trying to make the case that one can NOT do the same things with
'lifetime unlimited'. One can do some of the same positive things, but
only if conditions are just right, and one cannot block the negative
overriding key replacement. If I have it
On 3/1/24 12:23, G.W. Haywood wrote:
Hi there,
On Fri, 1 Mar 2024, Ond?ej Sur? wrote:
On 26. 2. 2024, at 22:41, Al Whaley wrote:
> A lot of pain and suffering in this world comes from people being
> sure they have a 'better idea' and everybody needs to do whatever.
> This feels a bit like
Hi there,
On Fri, 1 Mar 2024, Petr ?pa?ek wrote:
On 01. 03. 24 12:23, G.W. Haywood wrote:
... Maybe the lesson here is that if you're using BIND other than
because it happened to come with your distro, then it's probably a
good idea to keep an eye on this list to monitor the plans for
On Fri, 1 Mar 2024, Ondřej Surý wrote:
I wanted to address this comment. We (the developers) don't remove the
features out of convenience or because we have 'better idea'.
It's a known problem with humans that the discipline to remove items is
oftentimes lacking, and that humans will tend to
On 01. 03. 24 12:23, G.W. Haywood wrote:
Do you have reasons for keeping 'inline-signing' or 'auto-dnssec'
configurations? Is there a use case that is not (yet) covered by
'dnssec-policy'? Any other concerns? Please let us know.
Hi there,
On Fri, 1 Mar 2024, Ond?ej Sur? wrote:
On 26. 2. 2024, at 22:41, Al Whaley wrote:
> A lot of pain and suffering in this world comes from people being
> sure they have a 'better idea' and everybody needs to do whatever.
> This feels a bit like that. ...
... ultimately, the developers
On 01. 03. 24 8:01, Ondřej Surý wrote:
On 26. 2. 2024, at 22:41, Al Whaley wrote:
A lot of pain and suffering in this world comes from people being sure they
have a 'better idea' and everybody needs to do whatever. This feels a bit like
that. A command that gives choice and real certainty
> On 26. 2. 2024, at 22:41, Al Whaley wrote:
>
> A lot of pain and suffering in this world comes from people being sure they
> have a 'better idea' and everybody needs to do whatever. This feels a bit
> like that. A command that gives choice and real certainty would be great.
Hi,
I wanted
On 2/27/24 19:35, Michael Richardson wrote:
Matthijs Mekking wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Carsten
...
> It would be nice to have a "dry-run" mode in BIND 9, where BIND 9 would
> report steps it would do because of "dnssec-policy", but will not execute the
> changes.
If this Bind9 is only a hidden primary, disable
Matthijs Mekking wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.
Is there a way to validate
Hi Ondřej,
> On 27. Feb 2024, at 16:43, Ondřej Surý wrote:
>
> Carsten, could you please fill a feature request in the GitLab?
Done, #4606.
Greetings
Carsten
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
Hi Jim,
> On 27. Feb 2024, at 16:39, Jim P. via bind-users
> wrote:
>
> There should also be an option to display the current configuration in
> specific detail to easily create a new KASP (side question: why does DNS
> need a new acronym?)
The term “KASP” for “Key-and-signing-policy” has
Carsten, could you please fill a feature request in the GitLab?
Thanks,
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 27. 2. 2024, at 16:06, Carsten Strotmann via bind-users
On Tue, 2024-02-27 at 16:06 +0100, Carsten Strotmann via bind-users
wrote:
> It would be nice to have a "dry-run" mode in BIND 9, where BIND 9
> would report steps it would do because of "dnssec-policy", but will
> not execute the changes.
**This** ^^^
There should also be an option to display
Hi Matthijs,
On 27 Feb 2024, at 15:54, Matthijs Mekking wrote:
> - When migrating to dnssec-policy, make sure the configuration matches your
> existing keys.
the most problems I've seen so far have to do with this step: admins "think"
they have created a configuration that matches the current
As the main developer of dnssec-policy, I would like to confirm that
what has been said by Michael and Nick are correct.
I will repeat the most important takeaways:
- Setting the lifetime to unlimited on keys and BIND will never roll
your keys automatically.
- Most issues that were shared
Hi,
Here is a (possibly) helpful guide that might be of use when migrating
from auto-dnssec to dnssec-policy:
https://kb.isc.org/docs/dnssec-key-and-signing-policy
Thank you,
Darren Ankney
On Tue, Feb 27, 2024 at 1:01 AM Nick Tait via bind-users
wrote:
>
> On 27/02/2024 13:22, Michael Sinatra
On 27/02/2024 13:22, Michael Sinatra wrote:
On 2/26/24 13:41, Al Whaley wrote:
Originally (under the above command) RR records for DNSSEC were
maintained by bind, but the ZSK and KSK keys were maintained by me.
This command is being discarded. I understand that bind "sort of"
supports this
On 2/26/24 13:41, Al Whaley wrote:
As far as I have been able to determine through some fairly extensive
reading, a feature I depend on has fallen out of favor with the BIND
developers, and is being removed.
DNSSEC in 9.18 has two automatic actions where the original code had
just one, and
As far as I have been able to determine through some fairly extensive
reading, a feature I depend on has fallen out of favor with the BIND
developers, and is being removed.
DNSSEC in 9.18 has two automatic actions where the original code had
just one, and the second cannot be disabled.
I am
22 matches
Mail list logo