Re: DNSSEC setup for stealth master and multi slave/recursive - Multiple DS keys?

Couple of things... Use the words Primary and Secondary... don't use Master and Slave - as it upsets many people. (I teach DNS/DNSSEC and still say dumb things at times, and I live in South Africa) The Secondary Nameservers should not have any additional DNSSEC configurations if the Primary

Re: Facing issues while resolving only one record

To disable DNSSEC validation for a domain from the command line - I use:   dig +cd eportal.incometax.gov.in Works as expected. Better answer is to get them to fix the problem. On 2023/08/30 17:08, Bob McDonald wrote: Turning off validation for that domain

Re: Zone stats

Thank you Timothe for this. I tested this on some of my domains and found AXFR worked the best dig @::1 $zone axfr | grep -v '^;' | grep -v '^$zone' | grep 'NS    ' | cut -f1 | cut -f1 -d' ' | sed 's/\.$//' |sort -u > axfr.$zone ... does the trick. $zone is the Zone in question.

Zone stats

Hi, I'm writing some software to be able to read information from a Zone file. I am a legally authorised Secondary Authoritative Nameserver for a number of domains or rather zone files, eg. EDU.ZA (and others). Is there an easy way to:- 1) Count how many delegated domains there are (Names

Re: TLS Statistics

Seems like an excellent idea. I've added  an additional "Thumbs Up" to the ISC web page linked below. Perhaps others might do the same so this already two year old idea can be implemented a bit sooner? On 2023/08/02 10:00, Richard T.A. Neal wrote: Hi Florian, This feature doesn’t yet

Re: Changing DNS servers (name only) for a DNSSEC enabled domain

If the IP addresses of the DNS servers (dns[123].olddomain and dns[123].newdomain) are staying the same - then you only need to send an update to change your domain from being hosted at olddomain to newdomain. Ideally, the newdomain would be created first (pointing to the same IP addresses as

Re: dnssec-policy - KSK rollover

OK - so I read RFC7344... Automating DNSSEC Delegation Trust Maintenance There are two interesting paragraphs. _/5.  CDS/CDNSKEY Publication/_/ // //   The Child DNS Operator publishes CDS/CDNSKEY RRset(s).  In order to// //   be valid, the CDS/CDNSKEY RRset(s) MUST be compliant with the

Re: dnssec-policy - KSK rollover

Parent. Personally I like to keep the CDS in the child zone, so you can see if the parent is in sync, that is why I implemented it in BIND 9 to keep the CDS. Best regards, Matthijs On 23-11-2022 18:24, Mark Elkins via bind-users wrote: Hi people, I have read https://kb.isc.org/docs/dnss

dnssec-policy - KSK rollover

Hi people, I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy I have put the following policy in my named.conf file:- dnssec-policy "ecdsa256-policy" {     signatures-refresh 5d;     signatures-validity 14d;     signatures-validity-dnskey 14d;     dnskey-ttl 3600;    

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

Yes - I think "automated" in-line signing would be useful in "dnssec-policy" run zones. We didn't need this some versions of BIND ago ( I had to add it recently on a zone that I've been testing with - untouched from a year or so ago) We don't generally edit the signed zone - just the

Re: DNSSEC adoption

I generally agree with you - comments in line On 8/3/22 5:56 PM, Peter wrote: I see a two-fold issue with DNSSEC: 1. The wide-spread tutorials seem to explain a key rollover as an exceptional activity, a *change* that is infrequently done. And changes, specifically the infrequent ones,

Re: DNSSEC signing of an internal zone gains nothing (unless??)

Hmmm - might be saying the wrong thing but... .SE was DNSSEC Signed waaay before the root, so if living in Sweden, one would prep your DNSSEC aware resolver with the DS Key of the .SE Zone. DNSSEC then worked for .SE domains. Perhaps do the same? I do get confused further down in this email