Re: Exempt .local from dnssec validation on resolver?

2019-07-25 Thread Evan Hunt
On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote: > In 9.11, no. In 9.14, you can use "validate-except { local; };" (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation on a given domain, but negative trust anchors expire after a while, so you have to keep doing it

Re: Exempt .local from dnssec validation on resolver?

2019-07-25 Thread Evan Hunt
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote: > Is there any way to tell my resolver it shouldn't be validating > responses for foo.local? In 9.11, no. In 9.14, you can use "validate-except { local; };" -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc.

Exempt .local from dnssec validation on resolver?

2019-07-25 Thread John Thurston
For historical reasons we have some forward-zones defined on our resolver (v9.11.9). For example: zone foo.local {type forward; forwarders { 10.1.2.3; }; zone bar.local {type forward; forwarders { 10.4.5.6; }; These are obviously invalid TLDs, and are defined on servers over which I have no

Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash

2019-07-25 Thread Ondřej Surý
The issue was caused by using GeoIP2 configuration with BIND 9.11 compiled with legacy GeoIP, so there’s no need to test it on your side. We are just missing the combination of the options that you have used that caused this, thus the issue. We would be able to test it ourselves then. Thank

Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash

2019-07-25 Thread FUSTE Emmanuel
Le 25/07/2019 à 12:56, Ondřej Surý a écrit : > Hi Emmanuel, > > the crash should not happen because the discrepancy between the GeoIP and > GeoIP2 configurations > should have been caught earlier, so I would appreciate if you can submit an > issue here: >

Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash

2019-07-25 Thread Ondřej Surý
Hi Emmanuel, the crash should not happen because the discrepancy between the GeoIP and GeoIP2 configurations should have been caught earlier, so I would appreciate if you can submit an issue here: https://gitlab.isc.org/isc-projects/bind9/issues with more details on you named.conf. You can

Re: BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash

2019-07-25 Thread FUSTE Emmanuel
Ok, I installed GeoLite2 databases and adapted named.conf.options and apparmor profile and my service is resumed. It is the second time I'm forced to switch from an ESV version to the lastest version because of a bad update. Bugs is life, but do not pull previous version so quickly. I'm no

BIND 9.11.9-1+ubuntu18.04.1+deb.sury.org+2 crash

2019-07-25 Thread FUSTE Emmanuel
The new version crash and the BIND 9.11.8-1+ubuntu18.04.1+deb.sury.org+1 was pulled from the repo. I'm trying the 9.14.4-1 as I need to resume the service but I have GeoIP2 migration problems. Please re-push the previous version in the repo. Emmanuel. Jul 25 10:54:08 ns1 systemd[1]: