Re: forced to execute DNS64

2016-10-10 Thread Mark Andrews
DNS64 doesn't work like that. If you are having problems connecting over IPv6 contact your service provider. Facebook treats IPv6 as a production service and will deal with connectivity issues. If you want to force browsers to use IPv4 then send back RST to the connection attempts to reach the

forced to execute DNS64

2016-10-10 Thread LEE SUKMOON
Hello, All. Many clients queries to IPv6(IN/) domain. But IPv6 network is so far, then slow then IPv4 network. I want to forced dns64 for special domain. Example, 'm.facebook.com' IN/ address is '2a03:2880:f115:83:face:b00c:0:25de'. But I don't want to use IPv6 address. So I want to

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-10 Thread Jim Popovitch
On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger wrote: > > http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/ > > After the DS TTL expired I removed the old DS, so the zone now looks > like this: > > http://dnsviz.net/d/blau.beer/V_t2Hg/dnssec/ > TBH, the prior one looks

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-10 Thread Sebastian Wiesinger
* Tony Finch [2016-10-10 12:36]: > I thought the algorithm rollover process is required to be: introduce new > ZSK and KSK and sign the zone; wait for old records to expire; flip the DS > from old to new; wait for old DS to expire; delete old ZSK and KSK and > RRSIGs. A double-DS

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-10 Thread Tony Finch
Mark Andrews wrote: > Sebastian Wiesinger wrote: > > > > Thank you for explaining this for me. I was reading RFC6781, which I > > now realize is probably outdated in this regard so I was a bit > > confused. RFC 7583 (DNSSEC Key Rollover Timing) is also