Strange behaviour with DNSSec
Hello, I am running an important subzone of .museum zone (which implements both DNSSec and IDN) and I have a strange behavior going on… Some requests seems not to be resolved correctly with certain operators… One out of six requests are not resolved correctly. Instead of giving the answer of the request, It returns the SOA record… I use to run the latest bind 9.5.x branch. I have moved this morning to 9.7.x branch… hopping this might help solving my problem. Any idea how to test / investigate that further… Sincerely yours. Gregober --- PGP ID -- 0x1BA3C2FD bsd @at@ todoo.biz P Please consider your environmental responsibility before printing this e-mail ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange behaviour with DNSSec
Can you provide the domain name and an example of the problem? That will help in identifying the issue. On 8/03/10 11:21 AM, bsd b...@todoo.biz wrote: Hello, I am running an important subzone of .museum zone (which implements both DNSSec and IDN) and I have a strange behavior going on Some requests seems not to be resolved correctly with certain operators One out of six requests are not resolved correctly. Instead of giving the answer of the request, It returns the SOA record I use to run the latest bind 9.5.x branch. I have moved this morning to 9.7.x branch hopping this might help solving my problem. Any idea how to test / investigate that further Sincerely yours. Gregober --- PGP ID -- 0x1BA3C2FD bsd @at@ todoo.biz P Please consider your environmental responsibility before printing this e-mail ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. Correct, the comparison was only to point out that Autokey, like DNSSEC, doesn't encrypt payload because it doesn't need to. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Date: Mon, 08 Mar 2010 10:03:26 -0800 From: Michael Sinatra mich...@rancid.berkeley.edu Sender: bind-users-bounces+oberman=es@lists.isc.org On 3/7/10 10:46 AM, Danny Mayer wrote: Autokey is not a cryptographic signature protocol. It *is* a authentication protocol for the server only and there are a number of exchanges that need to be done to complete the authentication of the server. You cannot compare this with DNSSEC and nothing in NTP is encrypted. Correct, the comparison was only to point out that Autokey, like DNSSEC, doesn't encrypt payload because it doesn't need to. More specifically, I don't WANT to encrypt the data for either DNS or NTP. In both cases I want the data to always be signed clear-text and that is what DNSSEC does. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recursing only for white listed domains
Hi, I would like to implement a server for an internal business business unit to restrict recusion for only domains white listed by IT. Can anyone share a config for a similar implementation. thanks Tom ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursing only for white listed domains
Hi, For whitelisting a set of domains via their netblocks to allow recursion FROM them, the allow-recursion statement is your friend. For a filtering setup, which I think is what you want to achieve, a web proxy is much more suitable. An internal root would allow you to such things via DNS, but if you had that, you're likely to have web proxies as well. Regards, -mat On Mar 8, 2010, at 8:29 PM, Joe User wrote: Hi, I would like to implement a server for an internal business business unit to restrict recusion for only domains white listed by IT. Can anyone share a config for a similar implementation. thanks Tom ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursing only for white listed domains
On 3/8/2010 2:29 PM, Joe User wrote: Hi, I would like to implement a server for an internal business business unit to restrict recusion for only domains white listed by IT. Can anyone share a config for a similar implementation. Why do you think it's preferable to return a referral, for a query that's in a non-whitelisted domain, than it is to send back a REFUSED response, which is what happens in a more typical restricted-query configuration? If the client could do something useful with a referral, it almost certainly wouldn't have been sending a recursive query in the first place. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users