Hi,
I'm pretty much new to DNSSEC and try to deploy my first bind to
support it correctly.
My bind version is 9.9.4P2 and what I did is the following just to
allow DNSSEC verification (no zone management yet):
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside .
Wolfgang Rosenauer wrosena...@gmail.com wrote:
dnssec-validation auto;
dnssec-lookaside . trust-anchor dlv.isc.org.;
Why not use dnssec-lookaside auto; ?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
West Forties, Cromarty, Forth, Tyne, Dogger: Northerly or
On Thu, Jul 10, 2014 at 1:38 PM, Tony Finch d...@dotat.at wrote:
Wolfgang Rosenauer wrosena...@gmail.com wrote:
dnssec-validation auto;
dnssec-lookaside . trust-anchor dlv.isc.org.;
Why not use dnssec-lookaside auto; ?
No strong reason. I found many examples how to set it up
Wolfgang Rosenauer wrosena...@gmail.com wrote:
Changed it now to dnssec-lookaside auto and it still behaves exactly
the same way.
What happens if you delete the managed-keys files and restart?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
North Utsire, South Utsire, East
On Thu, Jul 10, 2014 at 4:00 PM, Tony Finch d...@dotat.at wrote:
Wolfgang Rosenauer wrosena...@gmail.com wrote:
Changed it now to dnssec-lookaside auto and it still behaves exactly
the same way.
What happens if you delete the managed-keys files and restart?
first thing:
Wolfgang Rosenauer wrosena...@gmail.com wrote:
first thing:
2014-07-10T16:04:56.862405+02:00 s15418965 named[29815]:
managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': timed out
Eventually the file appeared a bit later with the dlv.isc.org key.
Suspicious. What do you get if you
On Thu, Jul 10, 2014 at 4:16 PM, Tony Finch d...@dotat.at wrote:
Suspicious. What do you get if you run
dig +short rs.dns-oarc.net txt
s15418965:~ # dig +short rs.dns-oarc.net txt
rst.x479.rs.dns-oarc.net.
rst.x488.x479.rs.dns-oarc.net.
rst.x493.x488.x479.rs.dns-oarc.net.
Firstly upgrade. You are out of date.
Secondly fix your firewall. You need to allow through 4K DNS UDP
messages. You need to turn off whatever is blocking the bigger
packets and you also need to allow through fragmented UDP packets.
Mark
In message
On Thu, Jul 10, 2014 at 4:54 PM, Mark Andrews ma...@isc.org wrote:
Firstly upgrade. You are out of date.
I currently run a distribution provided version which is pretty new
compared with most published Linux distributions but if it helps I
would do that as well.
Secondly fix your firewall.
btw, don't know what that means exactly.
In addition the output above to test the UDP sizes when I do that on
the correct/my bind:
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
there is no output at all. Is that also expected and the reason is the
UDP limitation?
Thanks,
Wolfgang
Wolfgang Rosenauer wrosena...@gmail.com wrote:
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
there is no output at all. Is that also expected and the reason is the
UDP limitation?
Yes.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Trafalgar: Easterly or
ok, sorry for the confusion but I think what's more relevant is that
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
87.106.30.170 DNS reply size limit is at least 3843 bytes
87.106.30.170
Folks, in a moment of gross stupidity I added --delete-delay to an
rsync invocation in a deploy script, to remove master zonefiles from
the server which are no longer needed. I forgot that the DNSSEC
auto-maintain journal files are in that directory too.
Seeing little things like this:
On 2014-07-10 at 12:33 -0400, Phil Pennock wrote:
Folks, in a moment of gross stupidity I added --delete-delay to an
rsync invocation in a deploy script, to remove master zonefiles from
the server which are no longer needed. I forgot that the DNSSEC
auto-maintain journal files are in that
In message calm7facluvwf5jq1jcxxqw6lpzzqt4mtb-bhxu0synjhgcx...@mail.gmail.com
, Wolfgang Rosenauer writes:
ok, sorry for the confusion but I think what's more relevant is that
s15418965:~ # dig @127.0.0.1 +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
15 matches
Mail list logo