Evan/et.al.,
I've updated to 9.10.2, adjusted the timers, etc., and have managed to
follow the keyroll.systems test over night (a handful of key changes) plus
still get the desired AD bit.
With the timing in mind, I looked at my unbound (I realize this is BIND
users ;)) which wasn't keeping up
By default it dumps its output to a file; you can use `rndc secroots -`
to get output on stdout.
Using - to get it to dump the secroots output to stdout is a new
feature added for 9.11. That hasn't been published yet, but if you build
from the source tree at source.isc.org (like Tony does),
On 4/21/15, 10:15, Warren Kumari war...@kumari.net wrote:
From the ARM:
Sigh, RTFM...(My, BIND's gotten a lot more complicated/feature-rich since
I last read the docs.)
Hey, it's there.
smime.p7s
Description: S/MIME cryptographic signature
___
Edward Lewis edward.le...@icann.org wrote:
I have a suggestion - is there a way to query a BIND server for it's trust
anchor key set?
rndc secroots
(though this only provides the key tags not the public key data)
I say perhaps unnecessary because the information may be available on
disk
Edward Lewis edward.le...@icann.org wrote:
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
By default it dumps its output to a file; you can use `rndc secroots -`
to get output on stdout.
Tony.
--
f.anthony.n.finch d...@dotat.at
On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis edward.le...@icann.org wrote:
On 4/21/15, 9:45, Tony Finch d...@dotat.at wrote:
rndc secroots
You can also look in the .mkeys file.
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
(I had
On 4/21/15, 9:45, Tony Finch d...@dotat.at wrote:
rndc secroots
You can also look in the .mkeys file.
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
(I had my rndc port bumped out of sudo-land, so it's overridden:)
$ rndc -p 1953 -c
My lesson is - besides just working out the configuration - testing
RFC5011 takes more patience than just about any other feature of
DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have.
Yup. I learned that as well.
As a side note: can you imagine my surprise when, after
On Mon, Apr 20, 2015 at 4:33 PM, Evan Hunt e...@isc.org wrote:
On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
That page says (for BIND):
Note: When using this config file you will probably need to delete
On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
That page says (for BIND):
Note: When using this config file you will probably need to delete
/var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys*
every time you restart BIND after missing a keyroll.
On Mon, Apr 20, 2015 at 3:41 PM, Edward Lewis edward.le...@icann.org wrote:
Thanks. rm'd the file and added the timers. (I did that also after
sending, so it is the deleting the old file that did the trick.) The
start-up lines look good.
Got an AD bit again too.
(I may have a few more
On Mon, Apr 20, 2015 at 06:42:42PM +, Edward Lewis wrote:
Being that I'm working on a laptop (hence on on over the weekend) I've had
to recreate the environment today. I'm a bit more puzzled now.
There's a separate file that named creates to keep the current
managed keys state information
Thanks to Evan for the last look and thanks to Jan-Piet for the suggestion
to go to 9.10.2.
Being that I'm working on a laptop (hence on on over the weekend) I've had
to recreate the environment today. I'm a bit more puzzled now.
I've built and installed BIND 9.10.2. Using
Thanks. rm'd the file and added the timers. (I did that also after
sending, so it is the deleting the old file that did the trick.) The
start-up lines look good.
Got an AD bit again too.
(I may have a few more issues as I move this off a laptop on to a regular
machine. Right now it helps
Edward,
the subject of this message piqued my interest ;-)
17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf
Very ouch. Much pain. Lots frustration. Many hairpulls. Mucho crash. ;)
Upgrade to 9.10.2 [1] in which Evan fixes the CVE we discovered on
RFC5011 rolls and, thankfully,
I am building named and unbound recursive servers to follow a test of RFC
5011 trust anchor updates, the experiment is documented at
http://keyroll.systems. One reason why I'm asking here is in
http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
which mentions some issues with RFC
Thanks. Now have 'ad' bits via both BIND and unbound.
Will let you know when I've shot myself in the foot.
On 4/17/15, 12:45, Evan Hunt e...@isc.org wrote:
...
instead of waiting a full 30 days. (This is, I hope obviously, *not*
something you want to run in production. :) )
smime.p7s
On Fri, Apr 17, 2015 at 02:46:16PM +, Edward Lewis wrote:
I am building named and unbound recursive servers to follow a test of RFC
5011 trust anchor updates, the experiment is documented at
http://keyroll.systems. One reason why I'm asking here is in
18 matches
Mail list logo