> Wondering out loud:
> Maybe it should skip loading that particular member zone if the "coo"
> proproperty already points to different catalog? Would that be more
> resilient against race conditions when named is restarted?
That's an interesting suggestion, and I agree that it can solve the
On 30. 04. 23 13:04, Aram Sargsyan wrote:
Hello, Jan-Piet,
> however, when I stop and restart the consumer server, I have
sometimes (not always) seen
>
> catz: catz_addmodzone_cb: zone 'z10.aa' will not be added because
another catalog zone already contains an entry with that zone
>
Hello, Jan-Piet,
> however, when I stop and restart the consumer server, I have sometimes (not
> always) seen
>
> catz: catz_addmodzone_cb: zone 'z10.aa' will not be added because another
> catalog zone already contains an entry with that zone
>
>which is true, but it doesn't _seem_ to
And yes, you can automate this with nsupdate to old and new catalog,
Brilliant, Petr, thank you.
I saw some of the loviest log messages this week during coo from k-catz to
t-catz:
zone t-catz/IN: transferred serial 10: TSIG 't'
catz: t-catz: reload start
catz: updating
Hi,
a partial response:
> If it's possible, can anyone confirm zone transfers from master
> to slave would still work even if the servers ran different
> major versions?
Yes, "of course", because the details of that transfer is
specified by the DNS protocol standards.
-11.4.54.0.1.138.0 ---
> > service/network/dns/bind 9.16.33.0.0-11.4.51.0.1.132.0 ---
> > service/network/dns/bind 9.16.33.0.0-11.4.50.0.1.126.2 ---
> > service/network/dns/bind 9.16.29.0.0-11.4.48.0.1.126.0 ---
> > service/network/dns/bind 9.11.37.0.0-11.4.45.0.1.
t; service/network/dns/bind 9.11.36.0.0-11.4.42.0.1.113.0 ---
> ...
>
>
> It is possible to update from Solaris 11.4.45.0.1.119.0 to 11.4.55.0.1.138.1
> and thereby skip 9.16 altogether.
>
> Regards,
>
> Stacey
>
> * 9.18.11 uses OpenSSL v3
>
> On 20 Ap
/bind
9.11.36.0.0-11.4.42.0.1.113.0 ---
...
It is possible to update from Solaris 11.4.45.0.1.119.0 to
11.4.55.0.1.138.1 and thereby skip 9.16 altogether.
Regards,
Stacey
* 9.18.11 uses OpenSSL v3
On 20 Apr 2023, at 17:26, Saleck wrote:
Hi,
we are currently
advice. ;)
If it's possible, can anyone confirm zone transfers from master to slave would
still work
even if the servers ran different major versions? I know we won't be able to
use TLS until
both servers would run 9.18 but would the regular transfers still work?
It would help us a great deal
On 19. 04. 23 19:23, Jan-Piet Mens wrote:
Any ideas?
is this the point at which I confess I've only now read about Change of
Ownership (coo) [1]?
Indeed. Chapter
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-catalog-zones#name-change-of-ownership-coo-pro
has an example how the
Any ideas?
is this the point at which I confess I've only now read about Change of
Ownership (coo) [1]?
-JP
[1] https://bind9.readthedocs.io/en/latest/chapter6.html#change-of-ownership-coo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC
I'm in the process of migrating a modest number of zones from one signer
(OpenDNSSEC) to another (Knot-DNS). (The KSKs are identical so that should not
be an issue for this question.)
Each of the signers have a catalog (manually maintained for ODS, automatically
for Knot) which is transferred
Hi,
I just stumbled upon a problem. It happened on FreeBSD 13.1-RC (going to update
to 13.1 today).
I am running bind 9.18.3 with dnstap using a Unix socket.
Once the socket has been opened by bind, if the process serving the Unix socket
blocks and you try to
kill named, it fails to stop,
Thanks for the suggestions, folks. Using views with RPZs just gets
problematic.
Sharing vs forwarding: forwarding seems cleaner and although there are
two copies of /BIND/ I don't know that that visibility really hurts
anything. Plus that potentially allows the "rear view" resolver to live
on a
On Thu, Nov 18, 2021 at 04:06:01PM -0800, Fred Morris wrote:
> Thanks for the encouragement folks, I forged ahead and I've got a
> different error now:
>
> "response-policy zone 'rpz1.m3047.net' for view standard is not a
> master or slave zone"
>
> That's the final denoument. There are
Thanks for the encouragement folks, I forged ahead and I've got a
different error now:
"response-policy zone 'rpz1.m3047.net' for view standard is not a
master or slave zone"
That's the final denoument. There are several intermediate steps, such
as moving all zone definitions into the
Look in to "match-destination" in a view, i.e.
acl abcd.anycast {
10.10.10.1;
};
view "abcd" {
match-clients {
any;
};
match-destinations {
abcd.anycast;
};
...
};
The response-policy definition (and associated zone)
Fred Morris wrote:
>
> Didn't see any reason that it had to be separate instances of BIND,
> thought maybe I could do it with views, but I've run into a couple of
> roadblocks:
>
> 1. listen-on isn't supported in views.
Right, listen-on is for the server as a whole.
To control which view is
match-destinations ?
---
>From an Android device, using BlueMail, which forces top-posting.
On 18 Nov 2021, 20:40, at 20:40, Fred Morris wrote:
>I wanted to provide enhanced recursive DNS to (internal) clients on an
>"opt in" basis, which is to say that clients could choose whether or
>not
I wanted to provide enhanced recursive DNS to (internal) clients on an
"opt in" basis, which is to say that clients could choose whether or not
to receive enhanced replies based on what they configured as their local
caching resolver. The enhanced services come in the form of a Response
Policy
On 12.11.20 15:32, Matus UHLAR - fantomas wrote:
is it possible to nest $GENERATE directives?
I have to create DNS for /16 subnet...
so I assume it's not possible.
just wanted to be sure...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e
Hello,
is it possible to nest $GENERATE directives?
I have to create DNS for /16 subnet...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu
I have local (private) root domain domainX.example and subdomains :
subdomainY.domainX.example and subdomainZ.domainX.example. I can do chain of
trust if all zones are In-line signed
zone "domainX.example" {
type master;
file "named.domainX.example";
key-directory
To follow-up,
Migration from existing keys to dnssec-policy was indeed not working
properly, because the internal key states were not initialized properly.
Key states were always initialized as "HIDDEN" and that is why the
keymgr thought it could delete those keys immediately.
The fix is to look
On 2020-03-27 00:34, Shumon Huque wrote:
In fact, "rndc zonestatus" reports the same for a very simple
dnssec-policy test on a local zone I did:
$ rndc zonestatus foo.test
name: foo.test
type: master
files: zones/foo.test/zonefile
serial: 100251
signed serial: 100257
nodes: 5
last
On Thu, Mar 26, 2020 at 7:27 PM Håkan Lindqvist via bind-users <
bind-users@lists.isc.org> wrote:
> On 2020-03-26 23:00, Mark Andrews wrote:
> > dnssec-policy should be independent of inline-signing. If it isn’t then
> it is a bug.
> >
> > It just people like editing master files rather than
On 2020-03-26 23:00, Mark Andrews wrote:
dnssec-policy should be independent of inline-signing. If it isn’t then it is
a bug.
It just people like editing master files rather than using nsupdate to make
changes.
Ok, thank you for clarifying what should be expected.
I guess that leaves the
dnssec-policy should be independent of inline-signing. If it isn’t then it is
a bug.
It just people like editing master files rather than using nsupdate to make
changes.
> On 27 Mar 2020, at 08:02, Shumon Huque wrote:
>
> On Thu, Mar 26, 2020 at 3:35 PM Håkan Lindqvist via bind-users
>
On Thu, Mar 26, 2020 at 3:35 PM Håkan Lindqvist via bind-users <
bind-users@lists.isc.org> wrote:
>
> A related thing that I've noticed in my tests is that "dnssec-policy x"
> seems to also imply "inline-signing yes"?
> Is this intended as a strict requirement, it seems a little awkward?
>
I'm
I reported a bug with the requested details:
https://gitlab.isc.org/isc-projects/bind9/issues/1706
A related thing that I've noticed in my tests is that "dnssec-policy x"
seems to also imply "inline-signing yes"?
Is this intended as a strict requirement, it seems a little awkward?
On that
This is no longer necessary with
> > dnssec-policy as you can configure NSEC3 usage in named.conf (NOT
> > IMPLEMENTED YET)."
> >
> > Is the "NOT IMPLEMENTED YET" still accurate? And if accurate, can you
> > elaborate on what that means? e.g. NSEC3
te? And if accurate, can you
> elaborate on what that means? e.g. NSEC3 zones don't work at all? NSEC3
> zones can be generated and served, but NSEC3 parameters cannot be
> managed/rolled? Or something else?
>
> If the latter, I was wondering if it is possible to combine pieces of
>
laborate on what that means? e.g. NSEC3 zones don't work at all? NSEC3
zones can be generated and served, but NSEC3 parameters cannot be
managed/rolled? Or something else?
If the latter, I was wondering if it is possible to combine pieces of the
old and new ways, e.g. pre-configure an unsigned zon
On 2020-03-25 14:03, Matthijs Mekking wrote:
Existing keys do not have a .state file, and so named will try to match
those keys with the policy by looking at the data in the .key and
.private files. However, perhaps some metadata is different? If so the
keys don't match the policy and named will
Hi Håkan,
First of all, thanks for trying out the new dnssec-policy feature.
I'll admit there is insufficient documentation and tooling around
migration to dnssec-policy, possibly there is a bug too.
Existing keys do not have a .state file, and so named will try to match
those keys with the
Hello,
I have seen essentially this same question/problem posed by others in
other forums but never seen any proper answers to it.
I have now tried this myself with BIND 9.16.1 and faced the exact same
issue that I had previously read about.
How does one migrate an already signed zone from
On 2019-01-17 08:03, Fumiya Obatake wrote:
Thank you for your reply.
Since it seems very difficult to realize, I will consider other solutions.
The obvious solution would be to use TCP.
___
Please visit
Thank you for your reply.
Since it seems very difficult to realize, I will consider other solutions.
Sincerely,
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
plans to do so.
s/named/nsupdate/
> --
> Mark Andrews
>
>> On 17 Jan 2019, at 00:14, Fumiya Obatake wrote:
>>
>> Is it possible to use nsupdate with edns0?
>>
>> Hello, all.
>> I have some questions about nsupdate.
>>
>> I try to update a set of
to that TCP
still needs to be supported on the server anyway there really is no point in
trying.
Named does not attempt to send larger than 512 byte updates via UDP. There are
no plans to do so.
--
Mark Andrews
> On 17 Jan 2019, at 00:14, Fumiya Obatake wrote:
>
> Is it possible to use
Is it possible to use nsupdate with edns0?
Hello, all.
I have some questions about nsupdate.
I try to update a set of TXT records over 512 bytes in all by using
nsupdate without -v option, and it makes TCP connection automatically.
In RFC2136, `An update transaction may be carried in a UDP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, 2018-08-10 at 09:47 +1000, Mark Andrews wrote:
> > On 10 Aug 2018, at 5:46 am, Jim Popovitch via bind-users > s...@lists.isc.org> wrote:
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> On 10 Aug 2018, at 5:46 am, Jim Popovitch via bind-users
> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Is it possible to...
>
> 1) use text only zone files, and
>
> 2) keep serials identical between those zone files and what i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Is it possible to...
1) use text only zone files, and
2) keep serials identical between those zone files and what is
published in DNS, and
3) automatically handle signatures when adding new RRs, and
4) not have any journal files.
Is all
have two logging categories setup "queries" and "query-errors", both going
> to separate logs.
>
> The problem is that the logs do not log what I am interested in. The queries
> log, logs every query, the query-errors log supposedly only logs a SERVFAIL.
>
> Doe
do not log what I am interested in. The queries
log, logs every query, the query-errors log supposedly only logs a SERVFAIL.
Does anyone know if it is possible to get what I want from the DNS server?
Thanks,
Rick
___
Please visit https://lists.isc.org/m
On 11/30/2017 12:04 AM, Daniel Stirnimann wrote:
I doubt you can use RPZ for that.
The testing that I did made me think that RPZ wouldn't be able to do it.
I wonder if Response Policy Service (DNSRPS) can do it.
We use https://dnsdist.org/ for that, our rule:
-- WPAD Name Collission
7 19:12, Grant Taylor via bind-users wrote:
> Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into
> Response Policy Service and try to filter that way?
>
> I've used RPZ for various different things over the years, but I don't
> quite know how to match a wild ca
Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into
Response Policy Service and try to filter that way?
I've used RPZ for various different things over the years, but I don't
quite know how to match a wild card on the right hand side.
Context: I'd like to prevent
sorry if i post in the incorrect maillist
https://bugs.gentoo.org/show_bug.cgi?id=590692
please forward it to developers to follow up on that bug, as i read it
is named
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
Hi,
I have a fedora23 system with bind-9.10.3 that's been running fine for
a long time. For some reason this morning, queries started timing out.
This is a mail server, so queries to spamhaus, barracuda, etc, started
timing out with:
Mar 23 14:46:57 mail03 postfix/postscreen[12635]: warning:
, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Mon, Mar 9, 2015 at 9:55 PM, Alan Clegg a...@clegg.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 3/9/15 3:04 AM, Peter Olsson wrote:
Hello!
Is it possible to have
MESSAGE-
Hash: SHA512
On 3/9/15 3:04 AM, Peter Olsson wrote:
Hello!
Is it possible to have separate query logs for different views?
I tried putting this in the view block, but it failed with unknown
option 'logging':
logging { channel logging_query { file
/var/log/named/query
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 3/9/15 3:04 AM, Peter Olsson wrote:
Hello!
Is it possible to have separate query logs for different views?
I tried putting this in the view block, but it failed with unknown
option 'logging':
logging { channel logging_query { file
Hello!
Is it possible to have separate query logs for different views?
I tried putting this in the view block, but it failed with
unknown option 'logging':
logging {
channel logging_query {
file /var/log/named/query-inside.log versions 30 size
5M
Mukund Sivaraman m...@isc.org wrote:
That doesn't exactly mean general public, so does anyone else know
where a license grant to implementors is documented?
Section 4 of http://trustee.ietf.org/license-info/IETF-TLP-3.htm
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Cromarty,
The file spnego.asn1 in lib/dns appears to be non-free. It says to
look at RFC 4178 for the full legal notice and RFC 4178 is under a
non-free license. The file spnego.asn1 is also used to generate other
files.
___
Please visit
Hi Israel
On Mon, Feb 02, 2015 at 03:05:43AM -0500, israel shahak wrote:
The file spnego.asn1 in lib/dns appears to be non-free. It says to
look at RFC 4178 for the full legal notice and RFC 4178 is under a
non-free license. The file spnego.asn1 is also used to generate other
files.
The
On Mon, Feb 02, 2015 at 02:07:11PM +0530, Mukund Sivaraman wrote:
The contents of the file are taken (adapted) from here:
https://tools.ietf.org/html/rfc4178#page-16
IETF has published RFC 3978 about IETF Rights in Contributions:
https://tools.ietf.org/html/rfc3978
RFC 3978 is obsoleted by
One more comment - ad process size, I did measure the process sizes via
'top', and the excessive memory was really and without a doubt allocated
by named. While the machine has only 2GB of RAM, top reported named has
allocated much more than that, swap was in use and free swap was
steadily
On Tue, 27 Jan 2015 11:16:04 +0530,Mukund Sivaraman m...@isc.org wrote:
Meanwhile, please can you enable statistics-channels in named.conf and
send us a dump of the XML statistics along with process sizes reported
by ps when named grows very large?
I run the small script below every 5 minutes
Hello,
I am sorry, but since I got under pressure to stabilize our main
resolver operation, I had to downgrade to BIND 9.9.6 which effectively
solved the problem (i.e. even with max-cache-size set to 0 [unlimited],
the amount of memory allocated by named reaches certain maximum and
remains
: Fri, 23 Jan 2015 21:45:37 +0100
From: Daniel Ryšlink rysl...@dialtelecom.cz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101
Thunderbird/31.4.0
MIME-Version: 1.0
To: bind-users@lists.isc.org
Subject: Possible memory leak on BIND 9.10.1-P1 running on FreeBSD
10.1
Hi Daniel
On Mon, Jan 26, 2015 at 02:56:44PM +0100, Daniel Ryšlink wrote:
Downgraded to BIND 9.9.6, the leak is gone, using the same named.conf,
same HW, same environment.
It is highly likely there is really a memory leak problem in Bind
9.10.
Because many of these reports are on FreeBSD
On 11/28/2014 02:10 PM, Daniel Ryšlink wrote:
Happened in dig from bind-tools 9.9 and 9.10, both on Linux and FreeBSD.
After issuing the following command, dig ends with a core dump:
dig +trace +topdown +sigchase +trusted-key=./key.txt rhybar.cz mx
Launch a query to find a RRset of type
Happened in dig from bind-tools 9.9 and 9.10, both on Linux and FreeBSD.
After issuing the following command, dig ends with a core dump:
dig +trace +topdown +sigchase +trusted-key=./key.txt rhybar.cz mx
Launch a query to find a RRset of type DNSKEY for zone: .
message.c:2306:
In article mailman.1996.1389470377.20661.bind-us...@lists.isc.org,
Blason R blaso...@gmail.com wrote:
Pertaining to the same discussion. Can someone validate below zone files
and named.conf files? What I wanted to achieve here is; I wanted to make
mail.example.com as my sub domain and give them
Hey all,
Pertaining to the same discussion. Can someone validate below zone files
and named.conf files? What I wanted to achieve here is; I wanted to make
mail.example.com as my sub domain and give them A record so that I could
load balance the traffic on LBs since my LBs are offering inbuilt DNS
In article mailman.1996.1389470377.20661.bind-us...@lists.isc.org,
Blason R blaso...@gmail.com wrote:
Hey all,
Pertaining to the same discussion. Can someone validate below zone files
and named.conf files? What I wanted to achieve here is; I wanted to make
mail.example.com as my sub domain
Oh yeah you are right...I missed that out :)
Thanks for pointing it out..
On Sun, Jan 12, 2014 at 2:03 AM, Barry Margolin bar...@alum.mit.edu wrote:
In article mailman.1996.1389470377.20661.bind-us...@lists.isc.org,
Blason R blaso...@gmail.com wrote:
Hey all,
Pertaining to the same
In article mailman.1978.1389240374.20661.bind-us...@lists.isc.org,
Blason R blaso...@gmail.com wrote:
Hey Guys,
lets say I have a domain exmaple.com which is hosted out and are having MX
records as mail01.exmaple.com and mail02.example.com and
mail.example.comas a A Record for accessing
Hey Guys,
lets say I have a domain exmaple.com which is hosted out and are having MX
records as mail01.exmaple.com and mail02.example.com and
mail.example.comas a A Record for accessing mails
example.com NA ns1.example.com
ns2.example.com
IN
Hi.
Is it possible to have BIND writing the .jnl files from a dynamic update
or that may be created on rndc reload to another place, e.g. when the
zones are in /etc/bind/zones not placing them there but in
e.g. /var/cache/bind/zones...
Cheers,
Chris.
smime.p7s
Description: S/MIME cryptographic
On Jul 29 2013, Christoph Anton Mitterer wrote:
Is it possible to have BIND writing the .jnl files from a dynamic update
or that may be created on rndc reload to another place, e.g. when the
zones are in /etc/bind/zones not placing them there but in
e.g. /var/cache/bind/zones...
Sure. Look
On Mon, 2013-07-29 at 20:18 +0100, Chris Thompson wrote:
Look at the journal option in the zone statement.
Thanks... that should do... =)
Cheers,
Chris.
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit
B0;261;0cHi there,
On Wed, 17 Oct 2012, Manson, John wrote:
Does this rise to the level of a DDoS attack?
82 queries in a second is modest, but you're in US government and that
IP is in China. Given the recent publicity, IMO that's probable cause.
I blackhole IPs that behave like this.
From time to time I notice a large number of queries like these to one of my
external dns servers:
14:14:40.01407 121.10.105.66 - 143.231.1.67 DNS C gop.gov. Internet * ?
14:14:40.01529 121.10.105.66 - 143.231.1.67 DNS C speaker.gov. Internet * ?
14:14:40.03688 121.10.105.66 - 143.231.1.67 DNS C
Hi--
On Oct 17, 2012, at 11:17 AM, Manson, John wrote:
From time to time I notice a large number of queries like these to one of my
external dns servers:
14:14:40.01407 121.10.105.66 - 143.231.1.67 DNS C gop.gov. Internet * ?
[ ... ]
14:14:40.98668 121.10.105.66 - 143.231.1.67 DNS C
From time to time I notice a large number of queries like these to one
of my external dns servers:
14:14:40.01407 121.10.105.66 - 143.231.1.67 DNS C gop.gov. Internet *
?
snip
Does this rise to the level of a DDoS attack?
No NS record for this IP.
I blackhole IPs that behave like
pounding queries at me at a rate of
48,000+ a day :
Some packets are arriving with that source IP. Big difference.
It's possible (likely?) the sources are spoofed, and someone is inducing
*you* to bombard that IP with replies (or trying to).
Queries show up in bunches, while the average is every
the packet can see there're exactly
the same type of attack.
-Original Message-
From: Phil Mayers p.may...@imperial.ac.uk
Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Wed, 17 Oct
2012 23:59:11
To: bind-users@lists.isc.org
Subject: Re: Possible DDoS?
On 10/17/2012 07:39 PM
On 10/18/2012 12:12 AM, Tony Xue wrote:
I am pretty sure the sources were hacked because one of my another
What makes you think the source IPs were real?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this
@lists.isc.orgDate: Thu, 18 Oct
2012 00:22:24
To: bind-users@lists.isc.org
Subject: Re: 答复: Re: Possible DDoS?
On 10/18/2012 12:12 AM, Tony Xue wrote:
I am pretty sure the sources were hacked because one of my another
What makes you think the source IPs were real
Hi,
When using dnssec-signzone manually to sign a zone, I think there is a
case where it does not drop the RRSIGs when I think it should. Image
that dnssec-signzone is used with the old signed zone's RRSIG/NSEC*
data, along with an updated unsigned zone.
Let's say we are example.com. At T=0 we
Hi, I'm new to BIND, and was wondering if it would be a good fit for my
application.
I need to map a remote Linux CentOS 6.2 drive onto my Mac Snow Leopard machine.
I currently use Panic Transmit for this. The mapping process uses SFPT protocol
and results in a the hostname of:
Subject: possible to create simple DNS server that effects mapping network
drive?
Hi, I'm new to BIND, and was wondering if it would be a good fit for my
application.
I need to map a remote Linux CentOS 6.2 drive onto my Mac Snow Leopard machine.
I currently use Panic Transmit
Hello Howard Leadmon,
Am 2012-01-11 10:31:11, hacktest Du folgendes herunter:
Then I go to make a change to my DNS file, whoa was I in for a shock, as
:-D
So I guess my million dollar question is, I want to use DNSSEC (it's
actually working now), but I want to be able to edit my zone files
OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
in the backside, and even spending some time using googlefu I still haven't
quite figured this all out.
I am currently running the current BIND 9.8.1, and setup to support DNSSEC.
After reading around a bit, I saw that
You want BIND 9.9 (currently 9.9.0rc1) with inline signing. This will do
exactly what you want, I think.
--Michael
On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote:
OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
in the backside, and even spending some time
On 11/01/12 15:31, Howard Leadmon wrote:
Then I go to make a change to my DNS file, whoa was I in for a shock, as
apparently BIND took my nice text file for DNS I have edited for ages, and
As you found out, you cannot do that. auto-dnssec maintain requires
that updates to the zone by via
ISC is also, by pure luck, offering a web seminar on inline signing in BIND 9.9
today. While the first one starts in 15 minutes as I write this message, there
are a total of three sessions today.
Head on over to http://www.isc.org/webinar to find out the times and
information on how to join.
Howard Leadmon how...@leadmon.net wrote:
So I guess my million dollar question is, I want to use DNSSEC (it's
actually working now), but I want to be able to edit my zone files the way I
always have for many years, and just have BIND sign the zones with the keys
and update as needed to keep
...@isc.org]
Sent: Wednesday, January 11, 2012 10:48 AM
To: Howard Leadmon
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC made simple, is this possible?
ISC is also, by pure luck, offering a web seminar on inline signing in
BIND 9.9
today. While the first one starts in 15 minutes as I write
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/11/2012 10:47 AM, Phil Mayers wrote:
On 11/01/12 15:31, Howard Leadmon wrote:
Then I go to make a change to my DNS file, whoa was I in for a
shock, as
apparently BIND took my nice text file for DNS I have edited for ages,
and
As you
I took the ISC 2 day Intro to DNS and BIND class. The instructor made a
good point that building from source frees you from the dependance on the
distro's package maintainer. As part of the class, we had to compile bind
from scratch. It was very straight forward ./configure, make, make
On 11/01/12 17:04, Ryan Novosielski wrote:
Not that this is honestly so hard, however. I have played with it at
home some and the ns-update command means that you can still at least do
this manually fairly easily from the command line. Is my read on that
correct?
Performing a dynamic DNS
On 1/11/2012 8:50 AM, Howard Leadmon wrote:
Now if FreeBSD would just add 9.9 to the ports collection
I generally don't add new versions until they are released, but if there
is sufficient interest I can take a look at adding this as a -devel
version sooner rather than later.
Doug
--
]
Sent: Wednesday, January 11, 2012 12:21 PM
To: Howard Leadmon
Cc: 'Michael Graff'; bind-users@lists.isc.org
Subject: Re: DNSSEC made simple, is this possible?
On 1/11/2012 8:50 AM, Howard Leadmon wrote:
Now if FreeBSD would just add 9.9 to the ports collection
I generally don't add new
On 1/11/2012 9:27 AM, Howard Leadmon wrote:
As always thanks for all the support for things like this on the FreeBSD
side.
My pleasure.
That said, I'd love to see that happen, even as a -devel type port,
since in general when ISC considers something an RC, it's pretty darn stable
by the
Phil Mayers p.may...@imperial.ac.uk wrote:
Something like Tony's nsdiff script (see his post) makes it relatively easy,
but it's still another step.
It's more like a replacement step: run nsdiff | nsupdate instead of rndc reload.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
1 - 100 of 154 matches
Mail list logo
