notify explicit and also-notify

2018-05-03 Thread Blason R
Hi, So I was playing with these two statements and wanted to know something on also-notify. also-notify by default will update slaves about delta changes on port TCP/53 if not explicitly set right? e.g. also-notify {10.0.1.2; "notify-them" port 2034;};

Re: Dynamic zone vs static records

2018-05-03 Thread Grant Taylor via bind-users
On 05/03/2018 12:42 PM, Darcy Kevin (FCA) wrote: As far as I know, Domain Controllers still only maintain SRV records DCs, likely all member servers, and possibly all workstations (or the DHCP server on their behalf) will try to register A / and PTR records too. Also, updates to the

RE: Dynamic zone vs static records

2018-05-03 Thread Darcy Kevin (FCA)
“We are aware that we should not mix the plain text configuration with these dynamic records (and use a subdomain instead)” So, why don’t you do that? As far as I know, Domain Controllers still only maintain SRV records, so the “underscore zones” approach should still work. Make

Re: DNS RPZ Master/Slave configuration

2018-05-03 Thread Blason R
Again unicast could be any IP address or normal IP address given on server? There is no such specification like multicast On Thu, May 3, 2018 at 7:46 PM, Blason R wrote: > Thanks I got it, Below link helped me understand. > >

Re: DNS RPZ Master/Slave configuration

2018-05-03 Thread Blason R
Thanks I got it, Below link helped me understand. https://deepthought.isc.org/article/AA-00518/0/How-can-I-synchronize-DNS-RPZ-firewall-policies-across-multiple-DNS-servers.html The one thing I didnt understand is how to assign unicast address from DNS perspective? On Thu, May 3, 2018 at 7:36

DNS RPZ Master/Slave configuration

2018-05-03 Thread Blason R
Hi there, Can someone please guide me on working configuration of Mater/Slave zone in DNS RPZ for reference? Is that available with someone? And does it work exactly as master/slave like any other zone? ___ Please visit

Re: DNSSEC and automatic renewal of RRSIG-expiration-time

2018-05-03 Thread Tony Finch
Tom wrote: > Does the "inline-signing"-mechanism also automatically renew the > expiration-time of the RRSIGs? Yes. > If so: When or in which interval does BIND verify the expiration-times > of the RRSIGs and renew them? The documentation for sig-validity-interval says

Re: root hints

2018-05-03 Thread Anand Buddhdev
On 02/05/2018 23:39, Rick Dicaire wrote: > Thanks for the responses folks...so if I don't need to manage root.hints, > can I remove the line: > > zone "." IN {type hint;file "root.cache";}; > > from named.conf? Yes, you can remove it. Regards, Anand

DNSSEC and automatic renewal of RRSIG-expiration-time

2018-05-03 Thread Tom
Hi list Using latest BIND (9.12.1) with dnssec and inline-signing enabled. SIG-VALIDITY-INTERVAL is set to 1 day (for testing). Look the following RRSIG: test01.example.com. 300 IN RRSIG A 8 3 300 ( 20180504060124 20180503052321 1 test01.example.com.