Re: Mixing Algorithms for DNSSEC
On 10/15/2011 08:32 PM, Mark Elkins wrote: So what you are saying in practical terms is in order to migrate from RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which cycle once a year) and then at exactly the same time start using RSASHA256 on the KSK's (which cycle every month) - making any existing Why are you rotating your KSK monthly, but your ZSK yearly? That's the wrong way round, surely? (ZSK signs a lot more data, so a determined attacker has much more known-plaintext with which to brute-force your ZSK; KSK only signs the ZSK, so can be left in-place for longer) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mixing Algorithms for DNSSEC
On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote: On 10/15/2011 08:32 PM, Mark Elkins wrote: So what you are saying in practical terms is in order to migrate from RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which cycle once a year) and then at exactly the same time start using RSASHA256 on the KSK's (which cycle every month) - making any existing Why are you rotating your KSK monthly, but your ZSK yearly? That's the wrong way round, surely? *blush* - Yes. Should check what I write more closely. KSK about once a year and ZSK about once a month is more or less what I really do. -- Mark Elkins m...@posix.co.za Posix Systems smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME record for the root of the domain
I'm sorry but I still didn't understand if it's possible to do it with some workaround, and if yes HOW to do it. Thanks, Niccolò ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Sinkhole in BIND
Hi, Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. Regards babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND/named on VM
On 10/14/2011 1:49 PM, Walter Smith wrote: Hello folks, I would like to setup latest BIND/named [slaves] within VMware environment - is there any implications I should be aware of? Since I saw some issues running NTPd on VMware - thinking may be 'named' might have similar issues... Nameservers are not that sensitive to time even with DNSSEC. TSIG, for example, only requires you to be within 5 minutes. As long as you are keeping your clock synchronized withing reasonable limits you should have no problems with BIND. As others have recommended, VMware has published guidelines on running NTPd on various host platforms running on top of VMware and you should review these for your specific configurations. Danny NTP Development ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME record for the root of the domain
2011/10/16 Niccolò Belli darkba...@linuxsystems.it: I'm sorry but I still didn't understand if it's possible to do it with some workaround, and if yes HOW to do it. No, you can' have a CNAME at the top of a zone. A zone requires an SOA and CNAMEs cannot co-exist with ANY other record. Depending on exactly what you are trying to accomplish, you might get there by: 1. A DNAME in the parent. This aliases the entire domain, so this might or might not do what you want. 2. Use a A (and other records as needed) instead of a CNAME. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
Babu The following example defines two access control lists and uses an options statement to define how they are treated by the nameserver: acl black-hats { 10.0.2.0/24; 192.168.0.0/24; }; acl red-hats { 10.0.1.0/24; }; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-recursion { red-hats; }; } This example contains two access control lists, black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access. Regards TCPWave Customer Care On Sun, 2011-10-16 at 23:30 +0530, babu dheen wrote: Hi, Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. Regards babu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users