Re: Capabilities and limitations of catalog zones

2022-02-09 Thread John Thurston 



On 2/9/2022 2:36 AM, Tony Finch wrote:

John Thurston  wrote:


Are we not able to use catalog zones to propagate zone-configuration for
anything other than 'master' zones?

>

It is only for configuring authoritative secondary zones.




That's unfortunate, but thanks for the confirmation. I had been looking 
forward to making this work :(


We have only a couple of authoritative zones, but over 60 forward zones. 
And I expect far more growth and complexity in forward zones than in our 
authoritative zones (thanks to "cloud", and split private/public 
name-spaces).


At least I now know to draw a line through "catalog zones", and pursue 
other distribution options.


--
Do things because you should, not just because you can.

John Thurston907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec: ds showing hidden 3+ days after key roll

2022-02-09 Thread Matthijs Mekking 

Hi Larry,

Without more information it is hard to tell what is going on.

Can you share your dnssec-policy and the contents of the key state file? 
And if you have useful logs (grep for keymgr) that would be handy too to 
see what is going on.


If you prefer to share them off list, you can mail them me directly.

Best regards,

Matthijs

On 08-02-2022 18:00, Larry Rosenman wrote:

Greetings,
     new poster.  I just converted over to DNSSEC-policy,  and rolled my 
KSK.  I see:

key: 269 (RSASHA256), KSK
   published:  yes - since Sun Feb  6 14:31:32 2022
   key signing:    yes - since Sun Feb  6 14:31:32 2022

   No rollover scheduled
   - goal:   omnipresent
   - dnskey: omnipresent
   - ds: hidden
   - key rrsig:  omnipresent


ler in thebighonker in namedb on  master [!] as 慄
❯

Is it normal to see the ds as hidden?  It IS published, and I told rndc 
that.


Any insight appreciated.


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Capabilities and limitations of catalog zones

2022-02-09 Thread Tony Finch 
John Thurston  wrote:

> Are we not able to use catalog zones to propagate zone-configuration for
> anything other than 'master' zones?

It is only for configuring authoritative secondary zones. You are right
that this isn't completely clear in the documentation, uless you read the
whole section carefully (it is not stated explicitly in the section's
introduction).

https://bind9.readthedocs.io/en/v9_16_25/advanced.html#catalog-zones

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Rockall, Malin, Hebrides, Bailey: West, becoming cyclonic, 7 to severe
gale 9, occasionally storm 10 except Malin, becoming north or
northwest 5 to 7 later. High or very high, occasionally very rough
later. Squally wintry showers. Moderate or poor.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Capabilities and limitations of catalog zones

2022-02-09 Thread Aram Sargsyan 

That's right, catalog zones are for synchronizing the list of zones served by 
the primary, so that the secondaries can retrieve those zones using AXFR/IXFR. 
You can't even use "allow-transfer" on a forward zone, so it is not meant to be 
transferred to secondaries. 
  
 A couple of observations about your configuration: 
  
> version IN TXT "2" 
Currently BIND supports only version "1", though it is not being enforced at 
this moment.
  
 > forwarders { 10..11.12.13; }; 
BIND shouldn't even start with this invalid IP address (two dots). 
  
-- 
Aram
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users