Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

Thank you for the excellent advice! On 2010-09-20 18:09, Kevin Oberman wrote: > I recommend anyone attempting to secure their DNS read the NIST Computer > Security Resource Center document SP800-81 Rev.1, "Secure Domain Naming > System (DNS) Guide" at: > http://csrc.nist.gov/publications/nistpubs/

Re: DDNS Updates fail When More Than 15 Authoritative Servers (NS records) are listed in a Dynamically Updated Zone

It probably has something to do with the packet size. You can't easily fit 25 NS records into a 512 byte UDP packet. You really don't want to have more than 8 published NS records for most purposes. Chris Buxton BlueCat Networks On Sep 20, 2010, at 2:30 PM, Christopher Cain wrote: > [I apolog

DDNS Updates fail When More Than 15 Authoritative Servers (NS records) are listed in a Dynamically Updated Zone

[I apologize in advance if this is a double post. I'm not sure if my original went through] I was implementing ISC Bind 9.5 at a client site last month and had a single zone that accepted DDNS updates only from the ISC DHCP service. The environment consisted of a Master BIND server and almost 25

Auto signing & ARM

I'm trying to get named and my management tool cooperating with named on DNSSEC key management. I'm seeing behavior with auto-signing that doesn't strictly match the ARM and would like to know what's correct. I'm also not clear on what named expects for some cases. 4 questions after a little co

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

On 20/09/10 6:09 PM, "Kevin Oberman" wrote: >> Date: Mon, 20 Sep 2010 11:03:31 +0200 >> From: Kalman Feher >> Sender: bind-users-bounces+oberman=es@lists.isc.org >> >> Apologies in advance for the longer than intended reply. >> >> I've spent a lot of time reviewing documents regarding t

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

> Date: Mon, 20 Sep 2010 11:03:31 +0200 > From: Kalman Feher > Sender: bind-users-bounces+oberman=es@lists.isc.org > > Apologies in advance for the longer than intended reply. > > I've spent a lot of time reviewing documents regarding timing values and > they vary quite widely. One observati

Re: 2038 problem and BIND.

On Mon, 20 Sep 2010, Alan Clegg wrote: > > All signature expire times are in MMDDHHMMSS format in the zone data > and are handled correctly as far as BIND deals with it. > > If your OS deals with the 2038 issue correctly, then BIND will as well. RFC 4034 says that the signature validity times

Re: 2038 problem and BIND.

On 9/19/2010 6:57 AM, kalpesh varyani wrote: > > > I would just like to know, how BIND takes care of the 2038 problem. > Since now DNSSEC has a lot to do with timings, there could be issues if > someone would set the signature expiry time to a large value (possibly > after Y2K38). This can create

Re: NSEC3 salt lifetime (and some other DNSSEC params): sane value?

Apologies in advance for the longer than intended reply. I've spent a lot of time reviewing documents regarding timing values and they vary quite widely. One observation I've made is that many recommendations, especially those that are a little older, are predicated on the assumption that the proc