Re: Latest BIND on Debian 8.7 (jessie) crashed due to assertion failure

Thanks Munukd, this was the info I was looking for. Have a great day. On Apr 20, 2017 2:54 AM, "Mukund Sivaraman" wrote: Hi Carlos On Thu, Apr 20, 2017 at 12:54:47AM -0300, Carlos Pizarro wrote: > Today the bind9 service crashed and this were the last few log lines when > it

Re: Slow zone signing with ECDSA

"The tinfoil hat brigade in some distributions has resisted using them, fearing some conspiracy to provide not-so-random numbers." I think the NSA *did*, in fact, compromise the "Dual Elliptic Curve Deterministic Random Bit Generator" and paid RSA to make it the default in one of their products

Latest BIND on Debian 8.7 (jessie) crashed due to assertion failure

Hello, I'm running the latest stable BIND available on Debian 8.7: root@host:~# named -v BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) root@host:~# dpkg -s bind9 | grep 'Version' Version: 1:9.9.5.dfsg-9+deb8u10 https://packages.debian.org/jessie/bind9 Today the bind9 service crashed

Re: Re: Slow zone signing with ECDSA

On 19-Apr-17 21:43, Mark Andrews wrote: > ... > DSA requires random values as part of the signing process. Really > all CPU's should have real random number sources built into them > and new genuine random values should only be a instruction code away. > > Mark Most recent ones do. See RDRAND

Re: Slow zone signing with ECDSA

In message , "Spain, Dr. Jeffry A." writes: > > Install and run haveged... The problem is your system doesn't have > > enough entropy > > This was clearly the problem. I built a new test server with haveged >

RE: Slow zone signing with ECDSA

> Install and run haveged... The problem is your system doesn't have enough > entropy This was clearly the problem. I built a new test server with haveged installed, and the bind9 completed ECDSAP256SHA256 signing in 5 seconds. I used 9.11.1 this time since it was just released today.

bind 9.11.1, linking with 'supported' OpenSSL fails at use of deprecated/undef'd v10x api symbol, ERR_load_crypto_strings

Upgrading from bind 9.10.3-P5 -> 9.11.1 release on linux64, cat CHANGES ../dns/.libs/libdns.so: undefined reference to `ERR_load_crypto_strings' collect2: error: ld returned 1 exit status --- 9.11.0 released --- ...

RE: Slow zone signing with ECDSA

> Install and run haveged... The problem is your system doesn't have enough > entropy in the processor or maybe it's a VM but either way there is not > enough entropy to produce random seeds which is why it is taking so long. Thanks, David. The system is a Microsoft Azure VM. I assumed that

Slow zone signing with ECDSA

I'm testing a bind9 v11.1.0-P5 server signing 8 small zones de novo with ECDSAP256SHA256. The process takes about 12 hours to complete vs. signing with RSASHA256, which is almost immediate, but signing is ultimately successful. The server is running Ubuntu 16.04 LTS with current patches. I

Re: views

On 04/19/2017 10:58 AM, Victoria Risk wrote: We have implemented ECS for recursive queries in 9.10.5-S, the subscriber preview edition of BIND, which will be released today. For now, ECS recursion is available only to users with a support contract with ISC. Development of this feature was a

Re: views

> On Apr 19, 2017, at 8:47 AM, Nico CARTRON wrote: > >> Nor did I see >> details on how to have BIND send ECS with queries when it's a recursive >> server. > > As far as I know, ECS for Recursive queries is not yet implemented by ISC, or > at least it is not publicly

Re: views

On 04/19/2017 09:49 AM, Nico CARTRON wrote: Of course I meant +subnet / +nosubnet ;-) Thank you for the pointers Nico & Tony. I'm sure I'll find a way to get myself into trouble with what you've provided. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic

Re: views

On 19-Apr-2017 16:47 BST, wrote: > On 19-Apr-2017 15:59 BST, wrote: > [...] > > I'd also like to see if it's possible to have dig send ECS info. > > +edns / +noedns , but you'll need a recent dig version. Of course I meant +subnet / +nosubnet

Re: views

Hi Grant, On 19-Apr-2017 15:59 BST, wrote: > On 04/19/2017 03:37 AM, Tony Finch wrote: > > This is what the EDNS client subnet option is about. You can use it in > > BIND by adding "ecs" clauses to your address match lists for views or > > acls. However it isn't

Re: views

Grant Taylor via bind-users wrote: > > The only occurrences I found for "ecs" on the two release notes didn't > include more details about how to configure views to use it. Yes, it's a bit mysterious. > Nor did I see details on how to have BIND send ECS with queries

Re: views

On 04/19/2017 03:37 AM, Tony Finch wrote: This is what the EDNS client subnet option is about. You can use it in BIND by adding "ecs" clauses to your address match lists for views or acls. However it isn't documented in the ARM and it has significant problems. See

Re: views

I understand the concept, but I'm not sure I fully understand how to configure it. I've updated my bind to 9.11 P05 compiled with "--with-ecdsa", and as far as I can read EDNS is enabled for authoritative bind installations automatically. But I'm still getting wrong answers from my installation.

Re: views

Alberto Rinaudo wrote: > I have a bind installation on a aws server and I'm trying to set up views > to give different responses based on the source location. > > It works fine when this dns server is the first dns used by a client, I > guess because the source address

Re: HA: RE: BIND 9 windows XP builds

Am 19.04.2017 um 06:52 schrieb i.chu...@volga.ttk.ru: Hello all. Regarding the "critical mass": I'm the one who downloads BIND from XP box and I do it just to set it up on internal Linux machine. The reason to use XP as PC OS is company's policy and lack of money after all. :) P. S.: I can

views

Hello, I have a bind installation on a aws server and I'm trying to set up views to give different responses based on the source location. It works fine when this dns server is the first dns used by a client, I guess because the source address used to discriminate between views is the last hop. If