Re: ECS-IP in the RPZ-Log?

2021-10-27 Thread Mark Andrews
Submit a issue at https://gitlab.isc.org/ > On 28 Oct 2021, at 01:00, Tom wrote: > > Hi > > Using BIND-9.16.21. I'm wondering, if it's possible to have the ECS client IP > address in the RPZ log. > In front of our BIND, which has an RPZ configuration, is a dnsdist, which > inject the ECS-IP.

Re: DNSSEC questions

2021-10-27 Thread Alessandro Vesely
Hi Matthijs, thanks for clarifications. On Wed 27/Oct/2021 17:53:46 +0200 Matthijs Mekking wrote: On 27-10-2021 12:54, Alessandro Vesely wrote: I also switched to dnssec-policy.  Somewhere I read that I should have defined a policy with keys matching the existing keys.  I also defined a

Re: Query on issue#2389 BIND 9.16.10

2021-10-27 Thread Ondřej Surý
-- Ondřej Surý (He/Him) ond...@isc.org > On 27. 10. 2021, at 7:03, Mayank Maheshwari M > wrote: > > Hi Ondrej, > > Thanks for all your responses so far. > > As per the recommendation from BIND community we plan to proceed with an > upgrade to latest BIND version (9.16.21) where, as per

Re: DNSSEC questions

2021-10-27 Thread Matthijs Mekking
Hi Allesandro, Your policy has three keys: keys { ksk key-directory lifetime unlimited algorithm rsasha256 2048; zsk key-directory lifetime unlimited algorithm rsasha256 2048; csk key-directory lifetime unlimited algorithm rsasha256 2048; }; Two of them require DS

ECS-IP in the RPZ-Log?

2021-10-27 Thread Tom
Hi Using BIND-9.16.21. I'm wondering, if it's possible to have the ECS client IP address in the RPZ log. In front of our BIND, which has an RPZ configuration, is a dnsdist, which inject the ECS-IP. BIND could log the ECS-IP with the builtin "querylog" (rndc querylog on). In the following

Re: Resolver failures after stale-answer enabled

2021-10-27 Thread Blažej Krajňák
https://gitlab.isc.org/isc-projects/bind9/-/issues/2982 st 27. 10. 2021 o 11:53 Blažej Krajňák napísal(a): > > Hello, > > few days ago I updated our recursive resolvers at AS50242 from Debian > 10 to 11 to be able to enable stale-answer afer Facebook incident. > However, today I got bug reports

DNSSEC questions

2021-10-27 Thread Alessandro Vesely
Hi all, I recently installed version 9.16, and have a number of doubts. During the upgrade, named didn't want to load signed zones because of CDS/CDNSKEY inconsistency. There were CDS records in the zone files, which I removed. I also switched to dnssec-policy. Somewhere I read that I

Resolver failures after stale-answer enabled

2021-10-27 Thread Blažej Krajňák
Hello, few days ago I updated our recursive resolvers at AS50242 from Debian 10 to 11 to be able to enable stale-answer afer Facebook incident. However, today I got bug reports from customers. Their browser often fail at page loading with DNS_PROBE_FINISHED_NXDOMAIN. After few seconds (and after

dig: couldn't get address for root servers

2021-10-27 Thread salma smaoui
Greetings, Hope you're all doing great. Actually, I am using bind 9.11.28-S1, and I am facing some problems : whenever I use the command dig +trace, I came across this error : dig: couldn't get address for 'F.ROOT-SERVERS.NET': failure. Does anyone have an idea why I see this error ? It is