Thanks Mark. It's right there in the log.
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users
Named will tell you which DNSSEC algorithms it supports. Depending upon the OS
and its configuration this may differ.
DNSSEC algorithms: RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519
ED448
vs
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256
Would this be true for FreeBSD as well? I also have a bind 9.18.24
instance running on freeBSD
and it seems to be ok.
Bob
> The crypto policy stuff ultimately creates and maintains files in
/etc/crypto-policy/backends, which has a list of acceptable or
not-acceptable crypto settings.
> Whilst
From: bind-users on behalf of John Thurston
Date: Thursday, 18 April 2024 at 06:39
To: "bind-users@lists.isc.org"
Subject: Re: Answers for www.dnssec-failed.org with dnssec-validation auto;
Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock
had fallen on my h
Arrgh. You are correct. I was so far down in the weeds, I didn't notice
a rock had fallen on my head.
I know I can re-enable SHA1 for everything on the host with:
update-crypto-policies --set DEFAULT:SHA1
But that's a fairly broad stroke, when only 'named' needs to accept such
signatures. Is
My bind 9.18.24 server runs under Debian.
When I query with dig it appears to take long enough to resolve that it
goes to the next DNS server in the client's IP stack. The secondary server
in my list is quad9. It seems to resolve correctly. If I point to the
address of my Debian server, it works
Let me guess - you are running on RHEL (without SHA-1 support) and dnssec-failed.org is signed with RSA/SHA-1…--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 17. 4. 2024, at 19:02, John
A fresh day, and a fresh idea - I just spun up a completely new instance
of named, listening on its own port, with a stripped down config. Now
the behavior is even stranger.
I can see the "no valid signature found" line in the server log, but my
'dig' still gets an answer. What I can see in
On 17/04/2024 11:41, John Thurston wrote:
I'm seeing strange behavior with a BIND 9.18.24 resolver and
dnssec-failed.org.
With no dnssec-validation line (or with "dnssec-validation auto") in
the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as
expected . . until it doesn't.
I'm seeing strange behavior with a BIND 9.18.24 resolver and
dnssec-failed.org.
With no dnssec-validation line (or with "dnssec-validation auto") in the
.conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected
. . until it doesn't. After several seconds of answering SERVFAIL, I
10 matches
Mail list logo
