Hello,
in line with out deprecation policy, I am notifying the mailing list about our
preliminary
intent to deprecate the 'dnssec-must-be-secure' option. The option will be
marked as
deprecated (causing warning from named-checkconf) in BIND 9.18 and 9.20 and
it will be removed in BIND 9.21+
Hi Mark!
Very thankful again for your time. Sorry for answering so late, but I
was not at the office yesterday. I answer below in blue for instance...
El 2022-01-27 02:56, Mark Andrews escribió:
> DNSSEC involves lots of timing / co-ordination points and if any of them get
> delayed for any
DNSSEC involves lots of timing / co-ordination points and if any of them get
delayed for any reason the
following ones also need to be delayed. While dnssec-keygen will allow you to
set all of the timers for
all of a keys life, it is bad practice to do that.
If you are going to set the
Hi!!
Don't really know if it could help, but I generate the ZSK keys this way
:
/usr/local/sbin/dnssec-keygen -3 -a 8 -b 1024 -P now -A now -I +45d -D
+47d _
Cheers!!
El 2022-01-25 02:48, Mark Andrews escribió:
> On 25 Jan 2022, at 11:55, ego...@ramattack.net wrote:
>
> Hi
Hi Mark!!!
Thanks again!!!. Very very thankful really. Please allow me to answer
you something more as we found a guru here :) :)
But then Mark, what does a key deletion time of a key mean?. I
understood that when the deletion time was overtaken in a ZSK, the key
dissapeared from the DNSKEY
> On 25 Jan 2022, at 11:55, ego...@ramattack.net wrote:
>
> Hi Mark!!
>
>
>
> Thank you so much for your answer!! and your time!!.
>
>
>
> I have a couple of questions. I ask them between your lines and in blue for
> instance... for emphasizing and being easier to see what I'm referring
Hi Mark!!
Thank you so much for your answer!! and your time!!.
I have a couple of questions. I ask them between your lines and in blue
for instance... for emphasizing and being easier to see what I'm
referring to. I'm talking about ZSK keys in the questions I am asking in
blue.
El 2022-01-25
How ‘named’ manages DNSSEC is very different to how 'dnssec-signzone' manages
DNSSEC. When you tell named to
inactivate a DNSKEY it stops re-signing the zone with it and it stops signing
new records added to the zone
with it. It DOES NOT immediately replace all RRSIGs generated using that
Hi!!
Thanks a lot for your answer!!
I tried before the fact of renaming back and rndc sign... but does not
work just has removed the error from the log
I have changed my key managing code, for not renaming to "-OLD" the ZSK
(.key and .private) until have passed at least 2 days from
egoitz--- via bind-users wrote:
>
> These are the contents of a cat of the private file I have renamed to
> samename.private-OLD :
>
> Created: 20211031230338
> Publish: 2020220241
> Activate: 2020220341
> Inactive: 20211215230338
> Delete: 20211217230338
Yes, it can be confusing when
ng
> KSK at the moment) no RRSIG with that key should exist...
>
> Cheers!
>
> El 2022-01-24 13:08, Klaus Darilion escribió:
>
> IIRC, Bind needs the key as long as there are signatures in the zone
> generated by this key. After key deactivation I waited the RRSIG lifetime
fetime
> before deleting them.
>
> regards
>
> Klaus
>
> VON: bind-users IM AUFTRAG VON egoitz---
> via bind-users
> GESENDET: Montag, 24. Jänner 2022 13:00
> AN: bind-users@lists.isc.org
> BETREFF: Bind 9, dnssec, and .key .private files physical deletion
-01-24 13:08, Klaus Darilion escribió:
>
> IIRC, Bind needs the key as long as there are signatures in the zone
> generated by this key. After key deactivation I waited the RRSIG lifetime
> before deleting them.
>
> regards
>
> Klaus
>
> VON: bind-users IM AUFTRAG VON eg
as long as there are signatures in the zone
>> generated by this key. After key deactivation I waited the RRSIG lifetime
>> before deleting them.
>>
>> regards
>>
>> Klaus
>>
>> VON: bind-users IM AUFTRAG VON egoitz---
>> via bind-users
er key deactivation I waited the RRSIG lifetime
> before deleting them.
>
> regards
>
> Klaus
>
> VON: bind-users IM AUFTRAG VON egoitz---
> via bind-users
> GESENDET: Montag, 24. Jänner 2022 13:00
> AN: bind-users@lists.isc.org
> BETREFF: Bind 9, dnssec, and .key
@lists.isc.org
Betreff: Bind 9, dnssec, and .key .private files physical deletion after the
key id becomes deleted from zone (the key becomes outdated)
Good morning,
I have a DNSSEC "bump in wire" server, which uses "inline-signing yes;" and
"auto-dnssec maintain
Good morning,
I have a DNSSEC "bump in wire" server, which uses "inline-signing yes;"
and "auto-dnssec maintain;" for that reason.
I do the task of ensuring always are valid keys in the zone with an
script that generates them whenever is needed. All fine until here and
all working.
I have
On 16-08-2021 11:22, raf via bind-users wrote:
On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking
wrote:
Hi,
On 16-08-2021 04:28, raf via bind-users wrote:
On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
...
So it's looking good and I'm happy now. But how long
after the
On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking
wrote:
> Hi,
>
> On 16-08-2021 04:28, raf via bind-users wrote:
> > On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
> ...
> >
> > So it's looking good and I'm happy now. But how long
> > after the zone has been signed can I
Hi,
On 16-08-2021 04:28, raf via bind-users wrote:
On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
...
So it's looking good and I'm happy now. But how long
after the zone has been signed can I expect to see
CDS/CDNSKEY RRs appear? Why aren't they created at
the same time as the DNSKEY
On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote:
> But the real problem is that bind crashed, and dumped
> core, and couldn't start at all. There were a hectic
> few minutes there. :-) I deleted the coredump and the
> key files, and the .jnl files, restored backup
> zonefiles, updated the
raf via bind-users wrote:
>
> But that means that it applies to all of the zones in
> /etc/bind/named.conf.default-zones which is not helpful. It also applies
> to the zones in /etc/bind/zones.rfc1918 if that is included in
> /etc/bind/named.conf.local (which a comment there suggested). That's
e
crashed repeatedly? Here's the subset of the
config that I think could be relevant:
options
{
allow-recursion { localhost; };
dnssec-validation auto;
directory "/var/cache/bind";
key-directory "/var/cache/bind/keys";
dnssec-policy "annual"; # I
I would suggest:
tsig-keygen your-key-name
It does not need any options, the defaults are fine.
--
Bob Harold
On Fri, Apr 10, 2020 at 7:52 PM moo can via bind-users <
bind-users@lists.isc.org> wrote:
> Hello,
>
> For educational purpose I need to setup an DDNS between DCHPD and
Use tsig-keygen.
--
Mark Andrews
> On 11 Apr 2020, at 09:52, moo can via bind-users
> wrote:
>
>
> Hello,
>
> For educational purpose I need to setup an DDNS between DCHPD and BIND.
>
> Everywhere, debian, zytrax, freeipa, veritas ... use dnssec-keygen.
> Zytrax:
> dnssec-keygen -a
Hello,
For educational purpose I need to setup an DDNS between DCHPD and BIND.
Everywhere, debian, zytrax, freeipa, veritas ... use dnssec-keygen.Zytrax:
dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname
Veritas:
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com.
Debian:
dnssec-keygen -a
On Nov 1, 2012, at 3:02 AM, Kobus Bensch kben...@fullnet.co.uk wrote:
Thank you for this. Had a look and it seems fairly easy. Not sure if that is
a flippant remark.
As the author of this document, I must say thanks. Deploying DNSSEC is not
hard.
It's the care and feeding after-the-fact
Bensch kben...@fullnet.co.uk
Cc: Feng He fen...@nsbeta.info, bind-users@lists.isc.org
Sent: Thursday, 1 November, 2012 11:08:10 AM
Subject: Re: BIND and DNSSEC
On Nov 1, 2012, at 3:02 AM, Kobus Bensch kben...@fullnet.co.uk wrote:
Thank you for this. Had a look and it seems fairly easy. Not sure
On Nov 1, 2012, at 7:14 AM, Kobus Bensch kben...@fullnet.co.uk wrote:
Is that because split horizon doubles admin or because its bad all together?
I have been using split horizon for many years now and found it very useful.
Any thoughts from any on the list would be most welcomed.
Crafted
Feng He fen...@nsbeta.info wrote:
Take a look at:
http://www.dnssec.lk/docs/DNSSEC_in_6_minutes.pdf
I recommend using auto-dnssec maintain so named keeps the zone signed,
instead of dnssec-signzone.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty: East, veering
a...@clegg.com
To: Kobus Bensch kben...@fullnet.co.uk
Cc: bind-users@lists.isc.org
Sent: Thursday, 1 November, 2012 11:26:31 AM
Subject: Re: BIND and DNSSEC
On Nov 1, 2012, at 7:14 AM, Kobus Bensch kben...@fullnet.co.uk wrote:
Is that because split horizon doubles admin or because its bad all
On Nov 1, 2012, at 7:34 AM, Tony Finch d...@dotat.at wrote:
I recommend using auto-dnssec maintain so named keeps the zone signed,
instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851 |
On Nov 1, 2012, at 7:34 AM, Tony Finch d...@dotat.at wrote:
I recommend using auto-dnssec maintain so named keeps the zone signed,
instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851 |
On Nov 1, 2012, at 7:34 AM, Tony Finch d...@dotat.at wrote:
I recommend using auto-dnssec maintain so named keeps the zone signed,
instead of dnssec-signzone.
I do as well, and this will be documented in the next version of this document.
AlanC
--
Alan Clegg | +1-919-355-8851 |
On Nov 1 2012, Jan-Piet Mens wrote:
I do as well, and this will be documented in the next version of
this document.
I believe you've mentioned that here before. Several times. Today. ;-)
What I tell you three times is true.”
The Bellman, pp Lewis Carroll
--
Chris Thompson
Email:
On 01/11/12 12:26, Alan Clegg wrote:
On Nov 1, 2012, at 7:14 AM, Kobus Bensch kben...@fullnet.co.uk wrote:
Is that because split horizon doubles admin or because its bad all together?
I have been using split horizon for many years now and found it very useful.
Any thoughts from any on the
On Nov 1, 2012, at 7:45 AM, Alan Clegg a...@clegg.com wrote:
On Nov 1, 2012, at 7:34 AM, Tony Finch d...@dotat.at wrote:
I recommend using auto-dnssec maintain so named keeps the zone signed,
instead of dnssec-signzone.
I do as well, and this will be documented in the next version of
On 11/1/2012 3:31 PM, Sten Carlsen st...@s-carlsen.dk wrote:
The typical server setup (for own servers) is that one name is used for
setting up e.g. the mail server, the ideal situation for everybody is
that whether I am in house or visiting you, if I have any internet
access, I can read and
On 02/11/12 2:08, Barry S. Finkel wrote:
On 11/1/2012 3:31 PM, Sten Carlsen st...@s-carlsen.dk wrote:
The typical server setup (for own servers) is that one name is used for
setting up e.g. the mail server, the ideal situation for everybody is
that whether I am in house or visiting you, if I
Hi
Can anybody point me in the direction of a good guide on setting up BIND split
horizon DNS and DNSSEC?
Thanks in advance
Kobus
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
On 04/06/10 11:11, Tim Verhoeven wrote:
Hi,
I'm currently testing the automatic signing for DNSSEC present in Bind
9.7. I'm currently using Bind 9.7.0 and I have 2 questions.
The first one, can I configure multiple key directories? The reasoning
for this is that I would like to seperate
On Fri, Jun 4, 2010 at 1:18 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 04/06/10 11:11, Tim Verhoeven wrote:
I'm currently testing the automatic signing for DNSSEC present in Bind
9.7. I'm currently using Bind 9.7.0 and I have 2 questions.
The first one, can I configure multiple key
On Fri, Jun 4, 2010 at 3:11 AM, Tim Verhoeven tim.verhoeven...@gmail.comwrote:
The second question. I've tried doing a resalt using dynamic updates
but I can't get it to work. Just adding a new NSEC3PARAM RR crashes
Bind and doing a delete and then a add (to replace the present RR)
gives me
The first one, can I configure multiple key directories? The reasoning
for this is that I would like to seperate the KSK's from the ZSK's.
No, you can't... but that's an interesting idea. Right now it's a single
key directory per zone.
The second question. I've tried doing a resalt using
On Fri, Jun 4, 2010 at 9:10 AM, Evan Hunt e...@isc.org wrote:
The way it's supposed to work is: you add the new NSEC3PARAM record,
then wait for the new NSEC3 chain to be built. The newly inserted record
will, at first, have its flags field set to a nonzero value; this
indicates that the
45 matches
Mail list logo