of 'rndc zonestatus. For the internal view I get a date in
the future for 'next resign time'. For the external view, the date is in
the past. Not sure if that's a tell tale sign.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
the log files. I meanwhile increased
the severity to 'debug 3' for dnssec_debug.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org
FcrfTtdZDxO1dmarFgvbb+jAM5dT8EOrqGdOywKjQqjL
dcSHfaFuR8qP5PyyrCW6UOqMxWRjelPqBQBaBIY2aA== )
I thought that with 'dnssec-policy default' BIND would take care of it.
Upon updating the zone, increase the serial number and tell named with
'rndc reload zone'. What am I missing?
-- Sandro
--
Visit https://lists.isc.or
On 23-05-2022 16:12, Sandro wrote:
I'll do some more digging through the log files. I meanwhile increased
the severity to 'debug 3' for dnssec_debug.
Nothing really pops out. I have scrolled through all the logs since
rotation on Sunday at midnight. Since increasing verbosity on category
mail arrived... ;)
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users
On 23-05-2022 16:12, Sandro wrote:
I'll do some more digging through the log files. I meanwhile increased
the severity to 'debug 3' for dnssec_debug.
I'm having some issues again. Not as severe as last time, since the
RRSIG records are all still within their validity period.
However, bind
On 26-05-2022 11:05, Sandro wrote:
I'll take a look at the bug report in a minute.
Well, there are similarities between #2463 and my setup, but also
differences.
In my case, all zones are signed, internal and external. I have one
dnssec-policy defined in the options section, which
a contrast to the required semicolons in the BIND configuration
files. Many a time, when I first started using BIND, it would throw
errors at me because of a missing semicolon inside curly braces or right
after the closing one.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind
On 26-05-2022 12:00, Sandro wrote:
Thank you, Matthijs, for pointing out the bug. Do you have any
suggestion for what to try first, key separation or policy separation?
Well, I went for key separation. Let's see if it sticks. Last time I
restarted BIND everything seemed fine in the beginning
rked around the issue defining it as follows:
20220317-a4qe._domainkeyTXT "v=DKIM1; k=rsa; " (
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ
That returns the full key and all parameters. So, this question is more
out of curiosity.
-- Sandro
--
Visit https://lists.isc.org/ma
omplete
(timestamps left out for brevity)
I verified with 'rndc status' that debug level is 0.
Has the behavior changed or am I completely misunderstanding something
here (again)?
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC f
to move that over. But it doesn't hurt if you do.
Before starting named on the new system, assuming your main
configuration file is 'etc/named.conf', use:
named-checkconf -z /etc/named.conf
This will check your configuration and all your zones and tell you if
anything is wrong.
-- Sandro
verbosity on?
[1]
https://bind9.readthedocs.io/en/latest/dnssec-guide.html?highlight=delv#verification
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https
,
there's probably a reason for the default behavior of 'check-names' in BIND.
-- Sandro
[1] https://certbot-dns-rfc2136.readthedocs.io/en/stable/
[2]
https://community.letsencrypt.org/t/domain-authentication-fails-with-dns-rfc2136-plugin/180103/8
[3] https://github.com/certbot/certbot/issues/770
after re-reading the output I got from named-checkconf
and corrected it. It works now without check-names being modified.
The Let's Encrypt dns-01 challenge also succeeded.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
On 10-06-2022 15:27, Reindl Harald wrote:
Am 10.06.22 um 15:22 schrieb Sandro:
On 10-06-2022 12:53, Reindl Harald wrote:
if it would be useful my "ExecReload=/usr/bin/kill -HUP $MAINPID"
won't work for nearly 10 years without "PIDFile" (no i won't use and
configure r
with your point of view, that PIDFile in case of named has become obsolete.
So, I think we are on the same page here.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
r services where Type=
is set to forking.
So, it was probably just a simple misconfiguration and systemd applying
some of its "magic" to a non-existent file...
Anyway, in my case the PIDFile option is set, be it useful or not, and
SELinux is running in enforcing mode all withou
le" (no i won't use and
configure rndc - keep it simple)
That's a personal choice, but probably not the answer to the OPs
question. The shipped unit file for named on Fedora (and by extension
RHEL) makes use of PID files. I presume to cater for cases where rndc is
not being used.
-- S
it will trickle down and get the
mopping done. I'm certainly in favor of reporting over working around
the issue. But I don't have customers breathing down my neck.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
On 23-10-2022 01:18, Crist Clark wrote:
On Sat, Oct 22, 2022 at 3:20 PM Sandro wrote:
[snip]
Doing favors for the better good does not seem to be in their
dictionary. Look at DNSSEC.
Do you mean signing their domains or their public resolver services?
I was referring to signing
hope it's not a common
practice!
Mine doesn't. I agree with you that there are better solutions to the
problem(s) described than turning of DNSSEC completely.
Nevertheless, I run my own recursive DNS server using OpenNIC's root
server, thus bypassing my ISP completely.
-- Sandro
--
Visit https
, but it can be done using BIND as well.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing
down to the country (NL), using the
intermediate steps provided, the figures for NL change:
World (XA): 61.35%
Europe (XE): 56.99%
Western Europe (QO): 56.99%
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development
id you check that BIND has access to key-directory?
In the example.com domain above you are using an absolute path. BIND
needs to be able to read and write in '/keys/dnssec/example.com'.
Normally this is a relative path. Relative to 'directory' option.
Think ownership, permission and things like SELinux, AppA
them.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users
also signed the zone myself.
I would have expected the new registrar to take care of the DS record,
since they are now the party signing the zone.
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
On 14-12-2022 19:13, Sandro wrote:
I recently (last weekend) moved the domain to a new registrar. The keys
are now managed by the registrar directly. At least I don't see an
option providing my own or additional keys in their web interface.
Moreover, I'm no longer running my own DNS server
months. So the
version shipped is probably rather ancient and your mileage may vary.
[1]
https://downloads.redhat.com/redhat/linux/enterprise/7Server/en/os/SRPMS/
[2] https://copr.fedorainfracloud.org/
-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
29 matches
Mail list logo