At 14:52 29-09-2011, Michael Graff wrote:
We came to the conclusion that no matter how much we wanted it to
not be true, people find a way to do NXDOMAIN if they want to. The
issue is not ours to push, it's between the ISP and the customer
ultimately, and people will do it -- and more
*except that perhaps those who enable this feature will use it as an
excuse to avoid enabling validation, which would be a very bad result
+1 +1
A *very* bad result.
-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
On 30.09.2011 03:32, 刘明星:) wrote:
How does ISP use a proxy to filters answers and returns whatever they want to
the customer?
BIND can do that for you with Response Policy Zones (DNS RPZ).
See
On 29.09.2011 23:06, Bill Owens wrote:
*except that perhaps those who enable this feature will use it as an excuse
to avoid enabling validation, which would be a very bad result, IMO. . .
My reading of the docs says that BIND's NXDOMAIN redirections won't
break DNSSEC-signed results:
If the
On Fri Sep 30 2011 at 11:50:51 CEST, Hauke Lampe wrote:
*except that perhaps those who enable this feature will use it as an excuse
to avoid enabling validation, which would be a very bad result, IMO. . .
My reading of the docs says that BIND's NXDOMAIN redirections won't
break
I have been playing with the new inline signing feature.
Documentation bug: the inline-signing option is not mentioned in the
syntax for slave zones.
I have not been able to get master inline signing working. Firstly, it
fails to create the signed copy of the zone automatically. If I create it
On Wed, Sep 28, 2011 at 04:19:41PM +0200, feralert wrote:
...
The thing is that i want users redirected to 'www.domain.com' even
when they just type the domain name 'domain.com'.
In order to do so I am not sure if its best to have one A RR for each
or have an A RR for the domain and a CNAME RR
I opened a ticket on Tony's behalf so we can track the crash problem and the
other defects he mentioned. As I told him there, the master functionality is
still a work in progress, and the code's not there yet. Soon.
Thank you Tony for giving this a try as an alpha! Your time is appreciated.
. . . both Evan's blog post http://www.isc.org/community/blog/201109/isc-bind-990a1-feature-preview
and the announcement of next week's webinar include NXDOMAIN
redirection as the first new feature. I'm really surprised by that
- is this something that BIND users were clamoring for?
Yes.
On 9/30/11 10:12 AM, John Wobus jw...@cornell.edu wrote:
I'm a BIND user who is clamoring to keep such a feature out of BIND.
In reality, there are plenty of you (us)... However, as usual (and
particularly for anything ruled by committee), a few (often with the most
capital) will ruin it for
On Thu, Sep 29, 2011 at 04:52:10PM -0500, Michael Graff wrote:
I'm happy you read it, and hope to see you at the forum/customer webinar next
week! I'll be speaking, and will bring my fireproof undies.
I'm already signed up, but no worries about flaming - at least not from me ;)
We came to
Good evening*,
I run my three NS with DNSSEC and now I have encountered, that it has
stoped maintaining the Zone since september and has not changed to
october. It was working for 4 month only.
I have no error messages in my logs.
Any hints, why this happen from time to time?
I use
We came to the conclusion that no matter how much we wanted it to not be true,
people find a way to do NXDOMAIN if they want to. The issue is not ours to
push, it's between the ISP and the customer ultimately, and people will do it
-- and more intrusively -- than BIND 9.9 will.
That is just
In our initial implementation of DNSSEC, we chose to try out the auto
functionalities in version 9.8.0 P4 ie. using auto-dnssec maintain in
all master zones.
When going live, we found that though all zones that we are acting as
master for would populate their own DS records, but there would be no
On 9/30/2011 6:21 PM, Shawn Bakhtiar wrote:
We came to the conclusion that no matter how much we wanted it to not
be true, people find a way to do NXDOMAIN if they want to. The issue
is not ours to push, it's between the ISP and the customer ultimately,
and people will do it -- and more
On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote:
In our initial implementation of DNSSEC, we chose to try out the auto
functionalities in version 9.8.0 P4 ie. using auto-dnssec maintain in
all master zones.
When going live, we found that though all zones that we are
On 01.10.2011 00:09, Michelle Konzack wrote:
I run my three NS with DNSSEC and now I have encountered, that it has
stoped maintaining the Zone since september and has not changed to
october.
Do you mean expired signatures or no signatures at all?
In the latter case, have you checked
Hmm, I see an A record using the same query:
[foo@dns1 ~]$ dig +dnssec extended.nau.edu a
; DiG 9.8.1 +dnssec extended.nau.edu a
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 13732
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;;
On Fri, Sep 30, 2011 at 08:48:56PM -0400, Jeff Reasoner wrote:
Hmm, I see an A record using the same query:
Interesting. . . my validating resolver (also 9.8.1) will only give me an A if
I ask with +cd. And if I follow that query with another, without the +cd, I get
SERVFAIL; then re-querying
On 01.10.2011 02:48, Jeff Reasoner wrote:
Hmm, I see an A record using the same query:
[foo@dns1 ~]$ dig +dnssec extended.nau.edu a
I get a SERVFAIL response for the first query and NXDOMAIN for
subsequent request:
named: client 127.0.0.1#54707: query: extended.nau.edu IN A +ED (127.0.0.1)
20 matches
Mail list logo