Re: DNSSEC
On Sat, Jan 17, 2015 at 9:21 AM, Jeremy C. Reed wrote: > On Sat, 17 Jan 2015, John wrote: > > > is there a separate DNSSEC mailing list? > > You may use this bind-users list to discuss DNSSEC. > > There are other lists for DNSSEC managed outside of ISC and not specific > to BIND, such as: > Dnssec-deployment.org (but I cannot access their mailman webpage > currently) > > DNSSEC-DEPLOYMENT was recently moved to a new server in a different organization. Things are supposed to be progressing, but it seems to be taking forever to get things like list management up. Last post I saw said mid-January. That should mean about now. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
> On 16 Jan 2015, at 15:36, John wrote: > > DNAME will not work with DNSSEC. Other people have already corrected this statement, but I want to point out there are situations where DNAME makes DNSSEC easier. We use it extensively in our reverse DNS to delegate 128.232.128.0/17 from one part of Cambridge to another. Instead of having 128 sub-zones from 128.232.128.in-addr.arpa to 255.232.128.in-addr.arpa, we have 128 DNAME records[*] that redirect to subdomains of the slightly weirdly named in-addr.arpa.cam.ac.uk zone. This means we only need to manage one secure delegation (which does not cross organizational boundaries) instead of 128 secure delegations (which do). [*] Actually, 127 DNAMEs and 256 CNAMEs. There is a mail server in one of the /24s and some recipient servers choke on DNAMEs when checking reverse DNS. Sigh. Tony. -- f.anthony.n.finchhttp://dotat.at ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
Another list which often discusses DNSSEC (though its remit is wider than that) is https://lists.dns-oarc.net/mailman/listinfo/dns-operations Not relevant to the original poster but maybe of interest to those in UK academia is https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=DNSSEC-DISCUSS Tony. -- f.anthony.n.finchhttp://dotat.at ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable DNSSEC Validation for selected Domains
> -Ursprüngliche Nachricht- > Von: Evan Hunt [mailto:e...@isc.org] > > On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote: > > I'm just wondering, is an option like unbound's "domain-insecure" > > intentionally not implemented in in BIND? Or did just nobody care > > enough to implement it yet? > > I have resisted implementing it because it's too easy for an > operator to forget they knocked a hole in their DNSSEC protections, > and leave the hole in place long after it stopped being useful. > > The negative trust anchor implementation that will be released in > 9.11 corrects for this with built-in term limits. NTAs are added > via rndc, and they expire and are removed after a relatively short > lifespan, not exceeding a week. On Wed, Jan 14, 2015 at 10:34:35AM +0100, stefan.las...@t-systems.com wrote: > Hm... In our case a short lifespan won't be enough. I hate to point this out, but a simple workaround to make NTAs permanent is to have a cron job which runs your "rndc nta" command as often as needed. May Evan and the gods of DNSSEC have mercy on my soul! :( > Our customer uses a fictional Toplevel Domain and migrating the > whole Infrastructure to a new, proper Domain will take him months > if not years. They'll have to adjust every DNS Config of every > Server, every Webservice they have running internally, all > Documentations etc... I wouldn't be surprised if they are not even > aware of the problem, yet. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
On 1/17/2015 12:21 PM, Jeremy C. Reed wrote: On Sat, 17 Jan 2015, John wrote: is there a separate DNSSEC mailing list? You may use this bind-users list to discuss DNSSEC. There are other lists for DNSSEC managed outside of ISC and not specific to BIND, such as: Dnssec-deployment.org (but I cannot access their mailman webpage currently) Thanks -- John Allen KLaM -- Save the whales. Collect the whole set. smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
On 1/17/2015 12:12 PM, /dev/rob0 wrote: On Sat, Jan 17, 2015 at 11:43:33AM -0500, John wrote: is there a separate DNSSEC mailing list? If *you* are using BIND for signing or validation, anything pertaining to DNSSEC is quite relevant here. Google for "dnssec mailing list" brought up a few possibilities. Thanks. -- John Allen KLaM -- How do you tell when you're out of invisible ink? smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
On Sat, 17 Jan 2015, John wrote: > is there a separate DNSSEC mailing list? You may use this bind-users list to discuss DNSSEC. There are other lists for DNSSEC managed outside of ISC and not specific to BIND, such as: Dnssec-deployment.org (but I cannot access their mailman webpage currently) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
On Sat, Jan 17, 2015 at 11:43:33AM -0500, John wrote: > is there a separate DNSSEC mailing list? If *you* are using BIND for signing or validation, anything pertaining to DNSSEC is quite relevant here. Google for "dnssec mailing list" brought up a few possibilities. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC
is there a separate DNSSEC mailing list? -- John Allen KLaM -- A day without sunshine is like, night? smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
On 1/16/2015 10:26 AM, Phil Mayers wrote: Turned out that my (old) router was glitching and losing stuff along the way. New router solved problem! -- John Allen KLaM -- How do you tell when you're out of invisible ink? smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users