On Tue, Jan 14, 2014 at 07:55:44PM -0500, Kevin Darcy wrote:
If the domain owner *really* feels that they have to publish *some*
address record for a particular name, but there is no available
service at that name, then the null or unspecified address (IPv4 =
0.0.0.0, IPv6 = ::0) is the
On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote:
So I guess my DS record has the same TTL as my default TTL for my records?
My default is 8 hours, so if I wait 8 hours after I remove the DS from my
parent zone then I should be ok? My parent zone is a TLD(.edu).
The DS record is
On Tue, Jan 07, 2014 at 04:34:27PM +, Eric Davis wrote:
Duh...silly mistake...I did a DIG on the NS record..Once the DS record is
removed DNS queries should work fine right? Thanks Bill.
Once the DS record is removed from the .edu zone, queriers won't expect your
zone to be signed any
On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
Hello;
Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
ic.fbi.gov that seems to be DNSSEC related.
Am fairly certain of this because if
On Fri, Apr 27, 2012 at 08:40:54AM -0400, wbr...@e1b.org wrote:
We are authoritative for a few dozen small zones. Is it possible to use
the same KSK for all of them? I can see where if it gets compromised we
would need to resign all zones using the KSK at once. How much effort
would I be
On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote:
Hello,
I was setting up BIND DNSSEC and when I issue the following command the
process never finishes.
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
I straced the process and noticed the following
On Tue, Mar 13, 2012 at 08:26:02AM -0500, Daniel McDonald wrote:
On 3/13/12 8:20 AM, hugo hugoo hugo...@hotmail.com wrote:
== do I have to create in zone toto.be the following NS record:
titi.toto.be. TTL IN NSns1.xxx.be
I have found cases where
On Tue, Mar 13, 2012 at 01:42:00PM +, hugo hugoo wrote:
Thanks for the feedback.
Is this a glue record? I do not have any IP defined in the NS record.
No, a glue record is an address record (A or ) for an NS record in the
parent zone, to avoid the problem of having the child zone
On Wed, Mar 07, 2012 at 12:13:35PM +, Chris Thompson wrote:
This is wrong (although I have seen the same thing stated in a number
of other places). When the default public exponent was changed from
3 to 2^16+1 (change 2088) the one selected by -e was changed from
2^16+1 to 2^30+3 ... *not*
On Wed, Mar 07, 2012 at 02:43:01PM +, Chris Thompson wrote:
Oh, damn. I have to retract. Or indeed, grovel. It all depends on which
version of OpenSSL it is linked with, not on the code in dnssec-keygen
itself. Older versions do indeed generate 2^30+3, but newer ones 2^32+1.
You can see
On Wed, Mar 07, 2012 at 02:43:01PM +, Chris Thompson wrote:
You can see the BE (2^30+3) ones in the DNSKEYs for dlv.isc.org as
well as in a number of our own zones (which says either that the keys
are oldish or that the versions of OpenSSL used are not as up to date
as they probably
On Wed, Mar 07, 2012 at 03:35:25PM +, Spain, Dr. Jeffry A. wrote:
Please post any additional evidence you may have that would further the
discussion. Thanks. Jeff.
There's quite a bit about choosing e in this presentation:
On Fri, Mar 02, 2012 at 11:13:06AM +0100, Matus UHLAR - fantomas wrote:
On 29.02.12 17:53, Michael McNally wrote:
NXDOMAIN redirection is now possible. This enables a resolver
to respond to a client with locally-configured information
when a query would otherwise have gotten an answer of
On Mon, Feb 27, 2012 at 02:32:31PM +0100, Stephane Bortzmeyer wrote:
With Unbound, there are two commands to clear the cache, one which
deletes only the records with the exact name and one which is
recursive (deletes everything under the name).
With BIND, I find only the first one, rndc
On Sun, Feb 12, 2012 at 10:22:22AM -0800, Michael Sinatra wrote:
On 02/12/12 09:40, dE . wrote:
I'm trying to see DNSSEC response of various sites; my DNS server is
8.8.8.8 (google's public DNS service)
. . .
As we can see, the DNSKEY and DS RR is missing which's mandatory for
this to be of
On Fri, Feb 03, 2012 at 01:55:12PM +, Florian Weimer wrote:
These nameservers:
dns2.oppedahl.com. 172800 IN A 208.109.255.50
dns1.oppedahl.com. 172800 IN A 216.69.185.50
return SERVFAIL for EDNS0 queries. COM contains a signed delegation.
This
On Fri, Feb 03, 2012 at 02:12:43PM +, Florian Weimer wrote:
* Bill Owens:
On Fri, Feb 03, 2012 at 01:55:12PM +, Florian Weimer wrote:
These nameservers:
dns2.oppedahl.com. 172800 IN A 208.109.255.50
dns1.oppedahl.com. 172800
On Fri, Feb 03, 2012 at 10:04:19AM -0500, Lear, Karen (Evolver) wrote:
Who would be responsible for opening a trouble report to GoDaddy? I don't
understand exactly what the problem is here.
It looks, from the outside, as though the Oppedahl Patent Law Firm LLC uses
GoDaddy for DNS
On Fri, Jan 13, 2012 at 11:20:39AM -0600, Ian Pilcher wrote:
I am a relative newbie to running BIND in production. I have recently
set up BIND 9.7 (on CentOS 6.2) as the nameserver for my home network.
I am using Google's public DNS servers (8.8.8.8 and 8.8.4.4 as my
forwarders).
My ISP
On Mon, Nov 28, 2011 at 01:03:15PM -0500, wbr...@e1b.org wrote:
Todd wrote on 11/24/2011 11:29:14 AM:
I don't understand why Windows doesn't include dig by default, even
now. Free software hate?
And grep and logrotate! At least the GnuWin32 project has a good version
of grep.
There
On Thu, Nov 17, 2011 at 03:41:54PM +0100, Aleksander Kurczyk wrote:
Why would you run a dns server on a non standard port? There's no way
for clients to query via non standard ports.
I would like to make a experimental configuration simulating a few BIND
servers on one PC (PowerMac G4 400
On Wed, Nov 02, 2011 at 08:45:31AM -0400, wbr...@e1b.org wrote:
Lyle wrote on 11/01/2011 04:19:18 PM:
Again, this has a disadvantage if they ever decide to make .internal a
real internet domain name and some people frown upon this practice. Be
sure you know what can go wrong.
Is
On Wed, Nov 02, 2011 at 10:02:45AM -0400, wbr...@e1b.org wrote:
But it does provide some alternatives:
.intranet
.internal
.private
.corp
.home
.lan
But can we guarantee that they won't be approved as new public TLDs per
the new rules adopted this summer where anything can be a TLD?
On Fri, Oct 28, 2011 at 05:39:05PM +, Laws, Peter C. wrote:
OK, so simply putting the NS records in the parent zone is sufficient to make
it a separate zone. No need to put stuff in named.conf unless I want to or
until I actually delegate to a different set of nameservers.
Actually, the
On Fri, Oct 28, 2011 at 04:48:10PM +, Laws, Peter C. wrote:
It seems like there are two ways I could delegate a zone.
I could, in the zone file for the parent, simply list the name of the zone
and a number of NS records to which the zone has been delegated.
Or, I could create a zone
On Tue, Oct 04, 2011 at 06:31:03PM +, Raymond Drew Walker wrote:
I have been unable to determine the correct method to add a DS record by
hand. The ultimate goal would be the automation of this process.
Generate the DS record with dnssec-dsfromkey, cut and paste it into the zone
file, then
On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote:
In our initial implementation of DNSSEC, we chose to try out the auto
functionalities in version 9.8.0 P4 ie. using auto-dnssec maintain in
all master zones.
When going live, we found that though all zones that we are
On Thu, Sep 29, 2011 at 04:52:10PM -0500, Michael Graff wrote:
I'm happy you read it, and hope to see you at the forum/customer webinar next
week! I'll be speaking, and will bring my fireproof undies.
I'm already signed up, but no worries about flaming - at least not from me ;)
We came to
On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote:
In our initial implementation of DNSSEC, we chose to try out the auto
functionalities in version 9.8.0 P4 ie. using auto-dnssec maintain in
all master zones.
When going live, we found that though all zones that we are
On Fri, Sep 30, 2011 at 08:48:56PM -0400, Jeff Reasoner wrote:
Hmm, I see an A record using the same query:
Interesting. . . my validating resolver (also 9.8.1) will only give me an A if
I ask with +cd. And if I follow that query with another, without the +cd, I get
SERVFAIL; then re-querying
I've obviously been asleep and not following along with the announcements of
new features in BIND 9.9 until today. . . both Evan's blog post
http://www.isc.org/community/blog/201109/isc-bind-990a1-feature-preview and
the announcement of next week's webinar include NXDOMAIN redirection as the
On Wed, Sep 07, 2011 at 10:39:30AM -0600, Norman Fournier wrote:
Hello,
I was running BIND successfully on OS X 10.4 Tiger. That webserver crashed
and I replaced it with a new cpu and installed OS X 10.5 Leopard and have
encountered a number of errors in my configuration. This is the
On Mon, Jul 11, 2011 at 04:06:42PM -0400, Bill Owens wrote:
On Mon, Jul 11, 2011 at 02:11:57PM -0400, Jonathan Kamens wrote:
The number of DNS queries required for each address lookup requested by
a client has gone up considerably because of IPV6. The problem is being
exacerbated
On Tue, Jul 19, 2011 at 04:58:53PM +0200, mailsecurity wrote:
All,
anyone experiencing the same behavior?
I hope so, because that's the correct behavior. Dell's nameserver is broken:
http://tools.ietf.org/html/rfc4074
Common Misbehavior Against DNS Queries for IPv6 Addresses - May 2005
4.2.
On Mon, Jul 11, 2011 at 02:11:57PM -0400, Jonathan Kamens wrote:
The number of DNS queries required for each address lookup requested by
a client has gone up considerably because of IPV6. The problem is being
exacerbated by the fact that many DNS servers on the net don't yet
support IPV6
On Mon, Jul 11, 2011 at 04:25:59PM -0400, Jonathan Kamens wrote:
On 7/11/2011 4:06 PM, Bill Owens wrote:
https://lists.isc.org/pipermail/bind-users/2011-March/083109.html
in which the first sentence says it all: The nameservers for
wikipedia.org are broken.
It's not just wikipedia.org
36 matches
Mail list logo