months. So the
version shipped is probably rather ancient and your mileage may vary.
[1]
https://downloads.redhat.com/redhat/linux/enterprise/7Server/en/os/SRPMS/
[2] https://copr.fedorainfracloud.org/
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
also signed the zone myself.
I would have expected the new registrar to take care of the DS record,
since they are now the party signing the zone.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
On 14-12-2022 19:13, Sandro wrote:
I recently (last weekend) moved the domain to a new registrar. The keys
are now managed by the registrar directly. At least I don't see an
option providing my own or additional keys in their web interface.
Moreover, I'm no longer running my own DNS server
them.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users
On 23-10-2022 01:18, Crist Clark wrote:
On Sat, Oct 22, 2022 at 3:20 PM Sandro wrote:
[snip]
Doing favors for the better good does not seem to be in their
dictionary. Look at DNSSEC.
Do you mean signing their domains or their public resolver services?
I was referring to signing
it will trickle down and get the
mopping done. I'm certainly in favor of reporting over working around
the issue. But I don't have customers breathing down my neck.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
id you check that BIND has access to key-directory?
In the example.com domain above you are using an absolute path. BIND
needs to be able to read and write in '/keys/dnssec/example.com'.
Normally this is a relative path. Relative to 'directory' option.
Think ownership, permission and things like SELinux, AppA
down to the country (NL), using the
intermediate steps provided, the figures for NL change:
World (XA): 61.35%
Europe (XE): 56.99%
Western Europe (QO): 56.99%
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development
, but it can be done using BIND as well.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing
hope it's not a common
practice!
Mine doesn't. I agree with you that there are better solutions to the
problem(s) described than turning of DNSSEC completely.
Nevertheless, I run my own recursive DNS server using OpenNIC's root
server, thus bypassing my ISP completely.
-- Sandro
--
Visit https
after re-reading the output I got from named-checkconf
and corrected it. It works now without check-names being modified.
The Let's Encrypt dns-01 challenge also succeeded.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
,
there's probably a reason for the default behavior of 'check-names' in BIND.
-- Sandro
[1] https://certbot-dns-rfc2136.readthedocs.io/en/stable/
[2]
https://community.letsencrypt.org/t/domain-authentication-fails-with-dns-rfc2136-plugin/180103/8
[3] https://github.com/certbot/certbot/issues/770
with your point of view, that PIDFile in case of named has become obsolete.
So, I think we are on the same page here.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
r services where Type=
is set to forking.
So, it was probably just a simple misconfiguration and systemd applying
some of its "magic" to a non-existent file...
Anyway, in my case the PIDFile option is set, be it useful or not, and
SELinux is running in enforcing mode all withou
On 10-06-2022 15:27, Reindl Harald wrote:
Am 10.06.22 um 15:22 schrieb Sandro:
On 10-06-2022 12:53, Reindl Harald wrote:
if it would be useful my "ExecReload=/usr/bin/kill -HUP $MAINPID"
won't work for nearly 10 years without "PIDFile" (no i won't use and
configure r
le" (no i won't use and
configure rndc - keep it simple)
That's a personal choice, but probably not the answer to the OPs
question. The shipped unit file for named on Fedora (and by extension
RHEL) makes use of PID files. I presume to cater for cases where rndc is
not being used.
-- S
to move that over. But it doesn't hurt if you do.
Before starting named on the new system, assuming your main
configuration file is 'etc/named.conf', use:
named-checkconf -z /etc/named.conf
This will check your configuration and all your zones and tell you if
anything is wrong.
-- Sandro
of 'rndc zonestatus. For the internal view I get a date in
the future for 'next resign time'. For the external view, the date is in
the past. Not sure if that's a tell tale sign.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
omplete
(timestamps left out for brevity)
I verified with 'rndc status' that debug level is 0.
Has the behavior changed or am I completely misunderstanding something
here (again)?
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC f
a contrast to the required semicolons in the BIND configuration
files. Many a time, when I first started using BIND, it would throw
errors at me because of a missing semicolon inside curly braces or right
after the closing one.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind
rked around the issue defining it as follows:
20220317-a4qe._domainkeyTXT "v=DKIM1; k=rsa; " (
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
That returns the full key and all parameters. So, this question is more
out of curiosity.
-- Sandro
--
Visit https://lists.isc.org/ma
On 26-05-2022 12:00, Sandro wrote:
Thank you, Matthijs, for pointing out the bug. Do you have any
suggestion for what to try first, key separation or policy separation?
Well, I went for key separation. Let's see if it sticks. Last time I
restarted BIND everything seemed fine in the beginning
On 26-05-2022 11:05, Sandro wrote:
I'll take a look at the bug report in a minute.
Well, there are similarities between #2463 and my setup, but also
differences.
In my case, all zones are signed, internal and external. I have one
dnssec-policy defined in the options section, which
On 23-05-2022 16:12, Sandro wrote:
I'll do some more digging through the log files. I meanwhile increased
the severity to 'debug 3' for dnssec_debug.
I'm having some issues again. Not as severe as last time, since the
RRSIG records are all still within their validity period.
However, bind
mail arrived... ;)
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users
verbosity on?
[1]
https://bind9.readthedocs.io/en/latest/dnssec-guide.html?highlight=delv#verification
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https
On 23-05-2022 16:12, Sandro wrote:
I'll do some more digging through the log files. I meanwhile increased
the severity to 'debug 3' for dnssec_debug.
Nothing really pops out. I have scrolled through all the logs since
rotation on Sunday at midnight. Since increasing verbosity on category
the log files. I meanwhile increased
the severity to 'debug 3' for dnssec_debug.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org
FcrfTtdZDxO1dmarFgvbb+jAM5dT8EOrqGdOywKjQqjL
dcSHfaFuR8qP5PyyrCW6UOqMxWRjelPqBQBaBIY2aA== )
I thought that with 'dnssec-policy default' BIND would take care of it.
Upon updating the zone, increase the serial number and tell named with
'rndc reload zone'. What am I missing?
-- Sandro
--
Visit https://lists.isc.or
29 matches
Mail list logo