Re: disable dnssec for particular domain

Guten Abend, Am 2018-02-07 hackte Reindl Harald in die Tasten: > Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas: >> neither is possible for now. as I said, neither our customer not >> itsupstream does maintain the domain. > > i will point at that case when someone asks why i insist of be

Re: disable dnssec for particular domain

On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote: > Michelle Konzack wrote: > >> If someone is interested making a slave for me, I can do >> the same with him/her/whatelse. > > I'm cheap, so for my personal domains I use free secondaries from >

Re: disable dnssec for particular domain

Thankyou, Am 2018-02-08 hackte Warren Kumari in die Tasten: > On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote: >> Michelle Konzack wrote: >> >>> If someone is interested making a slave for me, I can do >>> the same with him/her/whatelse. >> >> I'm

Re: disable dnssec for particular domain

Am 07.02.2018 um 12:12 schrieb Reindl Harald: Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas: On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: what's the difference, when the domain doesn't exist? is it because .eu is signed? On 06.02.18 16:35, Ray Bellis wrote: Perhaps,

Re: disable dnssec for particular domain

On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: what's the difference, when the domain doesn't exist? is it because .eu is signed? On 06.02.18 16:35, Ray Bellis wrote: Perhaps, although I'm not sure why given that .eu is signed with NSEC3 and opt-out. Are you *sure* that the domain

Re: disable dnssec for particular domain

Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas: On 06/02/2018 16:31, Matus UHLAR - fantomas wrote: what's the difference, when the domain doesn't exist? is it because .eu is signed? On 06.02.18 16:35, Ray Bellis wrote: Perhaps, although I'm not sure why given that .eu is signed

Re: disable dnssec for particular domain

Thanks for providing the domain name in question (testa.eu). Indeed, port 43 whois shows no nameservers - neither does the web based whois on whois.eurid.eu, though the name does exist in the 'eu' registry system. Dig gives me nothing either... $ dig testa.eu ns +short $ dig testa.eu ds +short

Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: > > the name is "testa.eu". OK, let's dig it (trimmed for relevance): ; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8,

Re: disable dnssec for particular domain

Michelle Konzack wrote: > If someone is interested making a slave for me, I can do > the same with him/her/whatelse. I'm cheap, so for my personal domains I use free secondaries from https://puck.nether.net/dns/ and https://admin.gratisdns.com/ Tony. --

Re: disable dnssec for particular domain

Ahoi Matus, Am 2018-02-07 hackte Matus UHLAR - fantomas in die Tasten: > yes. even web whois shows no 'nameserver' information. > > the name is "testa.eu". Oi, the owner is the European Commission! It seems, they have the privileg, not to attribute Name Server to the domain. A normal

Re: disable dnssec for particular domain

Pruned debug logs... validating testa.eu/DS: looking for closest encloser validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA indicates potential closest encloser: 'eu' validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA at super-domain eu validating testa.eu/DS: NSEC3

Re: Enable systemd hardening options for named

Hi, More below. 2018-02-06 21:49 GMT+01:00 Petr Menšík : > Hi, More below > > Dne 1.2.2018 v 01:36 Ludovic Gasc napsal(a): > > 2018-01-31 21:47 GMT+01:00 Petr Menšík > >: > > > > Hi Ludovic, > > > > > > Hi Petr, > > > >

Re: disable dnssec for particular domain

Hi there, On Wed, 7 Feb 2018, Michelle Konzack wrote: ... Note: If someone is interested making a slave for me ... Is there a reason you don't use e.g. he.net? https://dns.he.net/ They do say of DNSSEC that they are "exploring this now" but it seems to work for me. -- 73, Ged.

Re: disable dnssec for particular domain

On 07.02.18 12:26, Tony Finch wrote: Aha! I think what's happening here is that BIND is expecting a NODATA response, to indicate that there is a delegation without a DS record. (For an example, `dig +dnssec +multiline europa.eu ds) However the validator gets an NXDOMAIN response claiming the

Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: > > I wonder why does it do that. I have configured a zone to be type > forward and expected it to work as confdigured, not be validated > upstream. Validation is mostly independent of resolution, so even if you configure a zone explicitly, the

Re: disable dnssec for particular domain

Matus UHLAR - fantomas wrote: I wonder why does it do that. I have configured a zone to be type forward and expected it to work as confdigured, not be validated upstream. On 07.02.18 14:14, Tony Finch wrote: Validation is mostly independent of resolution, so even if you

Re: disable dnssec for particular domain

Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas: neither is possible for now. as I said, neither our customer not itsupstream does maintain the domain. i will point at that case when someone asks why i insist of be registrar as well as dns-provider for anything i have to deal with it