On 12.07.2014 01:19, Mark Andrews wrote:
In message 53c009d4.4000...@imperial.ac.uk, Phil Mayers writes:
On 11/07/14 16:45, Steffen Sledz wrote:
We have a local DNS server providing local IPv6 zones (fd44:...).
The server itself is reachable via IPv4 and IPv6 but has no IPv6 uplink.
With
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12.07.2014 01:56, Alan Clegg wrote:
On 7/11/14, 7:19 PM, Mark Andrews wrote:
For the record it isn't the zone. It's enabling IPv6 locally without having
a working upstream link. You would get that message without the zone being
On 11.07.2014 17:59, Phil Mayers wrote:
On 11/07/14 16:45, Steffen Sledz wrote:
We have a local DNS server providing local IPv6 zones (fd44:...).
The server itself is reachable via IPv4 and IPv6 but has no IPv6 uplink.
With our current configuration everything works well, but we've a lot of
Gary Wallis wgg1...@gmail.com wrote:
What are the drawbacks, if any, of running only master name servers for the
set of authoritative NSs?
That depends entirely on how you are replicating the zone data.
The DNS's own replication (AXFR, IXFR, NOTIFY, TSIG) is pretty hard to
beat: it is fast,
Thank you Tony and Joseph,
I think you have explained this well, and most importantly, exposed the
underlying issues.
Best regards,
Gary
On 7/14/2014 06:27, Tony Finch wrote:
Gary Wallis wgg1...@gmail.com wrote:
What are the drawbacks, if any, of running only master name servers for the
On 7/14/14, 2:05 AM, Steffen Sledz wrote:
On 12.07.2014 01:56, Alan Clegg wrote:
On 7/11/14, 7:19 PM, Mark Andrews wrote:
For the record it isn't the zone. It's enabling IPv6 locally without
having a working upstream link. You would get that message without the
zone being configured.
We roll our KSK's for our edu domain annually in July, after which I need to
manually go to the EDUCAUSE management site to delete the old DS records for
the key no longer in use, and add the new DS records for the key just
published and scheduled to be used the following year.
This year, after
On Mon, Jul 14, 2014 at 01:24:38PM -0700,
Paul B. Henson hen...@acm.org wrote
a message of 135 lines which said:
And finally, the new key I just created, for which I'm trying to add DS
records. The dsset file created by dnssec-signzone says these records should
be:
I find the same values
On Mon, Jul 14, 2014 at 10:40:19PM +0200,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 19 lines which said:
So, I suspect a bug in EDUCAUSE.
Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU
issue.
___
Please visit
From: Stephane Bortzmeyer
Sent: Monday, July 14, 2014 1:43 PM
So, I suspect a bug in EDUCAUSE.
Your DNSKEY set being a little over 1500 bytes, you may suspect a MTU
issue.
Cool, thanks for double checking me and a potential problem to look at.
Makes me feel a little bit better that it
The new key does not sign the DNSKEY RRset.
% dig csupomona.edu dnskey +rrcomm +dnssec | grep 58561
csupomona.edu. 43072 IN DNSKEY 257 3 8
AwEAAdSfxR9Es3kRy4G0elMdTaxzQ8zWw9urWU1Tq4kc21Ca0wsFZQCB
1jU5XNXCiITwEiRboxO5nOgBHGqI0+Et39NUr7Oi252bsKowQbibnd3Y
On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote:
The new key does not sign the DNSKEY RRset.
[...]
Make sure the DNSKEY RRset is signed with the new key then try to
add the DS record to the parent.
It's intentionally not being used for signing; it's published but not yet
In message 20140715004923.gg31...@bender.unx.csupomona.edu, Paul B. Henson
writes:
On Tue, Jul 15, 2014 at 10:19:10AM +1000, Mark Andrews wrote:
The new key does not sign the DNSKEY RRset.
[...]
Make sure the DNSKEY RRset is signed with the new key then try to
add the DS record to the
From: Mark Andrews
Sent: Monday, July 14, 2014 6:33 PM
For a DS to *work* it needs to point to a key that signs the DNSKEY
RRset. Validators check that the signature exists. Activating the
key will add 1 signature to the zone.
Let me preface this reply by indicating that I am far from a
14 matches
Mail list logo
