Re: FORMERR responses after upgrading resolver from 9.16 to 9.18.8

2022-10-20 Thread Mark Andrews
> On 20 Oct 2022, at 22:49, Andreas S. Kerber wrote: > > Am Thu, Oct 20, 2022 at 01:23:47PM +0200 schrieb Ondřej Surý: >> did you try writing to elbrev.com operators to fix >> their servers to stop breaking DNS protocol? It often helps. (I'm ccing the >> contact in their

Re: procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?

2022-10-20 Thread PGNet Dev
On 19. 10. 22 19:48, Mark Andrews wrote: Just reload the server. +1 with the does the DS record need to be touched? i.e., will the changed to nsec3param change the zone's KSK? Let me add that no, DS record is not affected at all by NSEC or NSEC3. dnssec-policy management is doing a nice

Re: FORMERR responses after upgrading resolver from 9.16 to 9.18.8

2022-10-20 Thread Ondřej Surý
https://bind9.readthedocs.io/en/v9_18_8/chapter9.html?highlight=cookie -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 20. 10. 2022, at 13:49, Andreas S. Kerber

Re: FORMERR responses after upgrading resolver from 9.16 to 9.18.8

2022-10-20 Thread Andreas S. Kerber
Am Thu, Oct 20, 2022 at 01:23:47PM +0200 schrieb Ondřej Surý: > did you try writing to elbrev.com operators to fix their > servers to stop breaking DNS protocol? It often helps. (I'm ccing the contact > in their SOA records, so let's see if anything happens.) > > It's not

Re: FORMERR responses after upgrading resolver from 9.16 to 9.18.8

2022-10-20 Thread Ondřej Surý
Hi, did you try writing to elbrev.com operators to fix their servers to stop breaking DNS protocol? It often helps. (I'm ccing the contact in their SOA records, so let's see if anything happens.) It's not lack of EDNS0 support, but they fail to properly process unknown

FORMERR responses after upgrading resolver from 9.16 to 9.18.8

2022-10-20 Thread Andreas S. Kerber
I've just finished upgrading our last resolver from 9.16 to 9.18.8 a few days ago. As it turn out a number of zones are no longer resolveable with 9.18. Some nameservers out there don't seem to support EDNS0 and the number of FORMERR responses in our resolver logs went up quite a bit. Here's

Re: procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?

2022-10-20 Thread Petr Špaček
On 19. 10. 22 19:48, Mark Andrews wrote: Just reload the server. On 20 Oct 2022, at 01:45, PGNet Dev wrote: with the does the DS record need to be touched? i.e., will the changed to nsec3param change the zone's KSK? Let me add that no, DS record is not affected at all by NSEC or NSEC3.