> On 26 Mar 2020, at 08:04, Havard Eidnes via bind-users
> wrote:
>
>> This was an accident - we did *not* do this on purpose - but infact,
>> this is a good time for anyone who still has dlv.isc.org configured
>> to REMOVE it from your BIND configuration.
>
> This advice may be
Thanks for the information Matthijs.
We were actually looking forward to this particular feature in 9.16.x for
easier key rolls. So, if you have any idea yet about the timeframe to
develop and backport the NSEC3 support to 9.16, let us know.
Thanks!
Shumon.
On Wed, Mar 25, 2020 at 4:09 PM
> This was an accident - we did *not* do this on purpose - but infact,
> this is a good time for anyone who still has dlv.isc.org configured
> to REMOVE it from your BIND configuration.
This advice may be misunderstood. Use of dlv.isc.org is usually
implied, not explicitly stated in named.conf,
Hi Shumon,
The "NOT IMPLEMENTED YET" is still accurate. It means that if you use
dnssec-policy, your zones will be signed with NSEC. Any attempts to make
it work with NSEC3 (with Dynamic Update for example) have undefined
behavior.
You are right that at this moment dnssec-policy is not yet
On Wed, Mar 25, 2020 at 9:04 AM Matthijs Mekking wrote:
> Hi Håkan,
>
> First of all, thanks for trying out the new dnssec-policy feature.
>
> I'll admit there is insufficient documentation and tooling around
> migration to dnssec-policy, possibly there is a bug too.
>
[...]
HI Matthijs,
We
We apparently let our signatures on dlv.isc.org expire. We are fixing it now.
We apologize for this.
This was an accident - we did *not* do this on purpose - but infact, this is a
good time for anyone who still has dlv.isc.org configured to REMOVE it from
your BIND configuration. The zone is
Hello,
I unfortunately got hit by the key expiration or whatever just happened about
an hour ago that caused the "dnssec-lookaside auto" command to crush all of our
DNS queries.
I realize that it wasn't doing anything but we left the command in there
because it had been in there and in the
At 16:05:08, a toy BIND 9.10.3-P4 recursive nameserver began answering all
queries with SERVFAIL, logging:
-=-
Mar 25 16:05:08 serni named[1525]: validating dlv.isc.org/NSEC: verify failed
due to bad signature (keyid=64263): RRSIG has expired
Mar 25 16:05:08 serni named[1525]: validating
On 2020-03-25 14:03, Matthijs Mekking wrote:
Existing keys do not have a .state file, and so named will try to match
those keys with the policy by looking at the data in the .key and
.private files. However, perhaps some metadata is different? If so the
keys don't match the policy and named will
Hi Håkan,
First of all, thanks for trying out the new dnssec-policy feature.
I'll admit there is insufficient documentation and tooling around
migration to dnssec-policy, possibly there is a bug too.
Existing keys do not have a .state file, and so named will try to match
those keys with the
Hello,
I have seen essentially this same question/problem posed by others in
other forums but never seen any proper answers to it.
I have now tried this myself with BIND 9.16.1 and faced the exact same
issue that I had previously read about.
How does one migrate an already signed zone from
when I build BIND, bellow:
hi all :
./configure --prefix=/opt/bind9 --with-openssl=/opt/openssl-1.1.1d *
--with-pkcs11=/opt/hsm/libsspkcs11.so*
--with-python-/usr/local/python27/bin/python && make && make install
ok it'fine
and then
/opt/bind9/sbin/pkcs11-list -p "" --- it' s ok
12 matches
Mail list logo