Re: Dnssec-validation auto

2020-11-13 Thread Ismael Suarez
resolv.conf has only itself as dns server When using dnssec-validation AUTO, and turning on debug, the following is shown when I nslookup from my PC towards the server. 13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request is not signed 13-Nov-2020 11:09:18.998

Re: How to generate ZSK key with one year valid

2020-11-13 Thread Ondřej Surý
Ramesh, DNSKEY records doesn’t have validity (only the metadata do), so perhaps it would be a good time to describe what you are doing, what you are expecting and what you are experiencing. Letting us guessing all of these is waste of our and your time and it is bit disrespectful to anybody

Re: How to generate ZSK key with one year valid

2020-11-13 Thread Ed Daniel
On 13/11/2020 13:08, rams wrote: > Hi, > Can anyone help me how to generate ZSK key with one year validity? > When I am trying , it is default 30 days validity but i want to make ZSK > key validity 1 year. Is it possible in bind? > > Regards, > Ramesh Hi Ramesh, Are you using the CLI-based tool

Is auto-dnssec option mndatory for inline sign?

2020-11-13 Thread rams
Hi, auto-dnssec option is mandatory for inline signing along with "inline-signing yes" option? Kindly confirm. Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development

Re: Dnssec-validation auto

2020-11-13 Thread Petr Menšík
I would check what nameservers are in /etc/resolv.conf, and try to direct delv or dig to its address. for H in $(awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf); do dig +dnssec @$H www.popularsba.com; done Check every server returns reliable and the same results. I had one NOERROR and

How to generate ZSK key with one year valid

2020-11-13 Thread rams
Hi, Can anyone help me how to generate ZSK key with one year validity? When I am trying , it is default 30 days validity but i want to make ZSK key validity 1 year. Is it possible in bind? Regards, Ramesh ___ Please visit

Re: Dnssec-validation auto

2020-11-13 Thread Ismael Suarez
With "dnssec-validation AUTO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out With "dnssec-validation NO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out ; unsigned answer www.popularsba.com. 279 IN CNAME

Re: Dnssec-validation auto

2020-11-13 Thread Petr Menšík
Hi Ismael, easiest way to check validation is using delv tool from BIND 9.11+. It uses the same algorithm as BIND server does. If you get SERVFAIL from your recursive server, try adding +cd parameter to delv or dig. When it works with +cd, validation is responsible somewhere in recursive servers