RE: DNSSEC Signing & Key Questions

Hello, For 3) automate zone signing and zsk roll-over I know of no tools that are readily available - there are appliances (look in the IPAM world of products), that handle DNSSEC for you. However, I have in our “DNSSEC workshop” course environment a setup that looks at time stamps of Linux

Re: dnssec config sanity check

On 10/3/2011 11:45 PM, Stephane Bortzmeyer wrote: Experience of DNSSEC deployment (see my paper at SATIN ) shows that custom programs have many timing bugs. Many things can go wrong Why not using an existing program such as Open

Re: Bind takes a long time to resolve requests

In message , Pablo Maurelli writes: > > hello, pick up a dns server with bind9, is resolving claims, but it takes > time to resolve a lot, sometimes throw timeout error and the second time > resolved, any ideas? > I pass below my named.conf, host.conf and nsswitch.conf > > from already thank yo

Re: dnssec config sanity check

On 10/3/2011 6:31 PM, Mark Andrews wrote: Don't ASSUME that the DS will be published in time. Build checks into your proceedures from the beginning. e.g. Publish and activate July 1. Change DS records July 8. Check that DS is published July 15 and set inactivate and deletion

Re: Bind takes a long time to resolve requests

On 10/4/2011 12:40 PM, Pablo Maurelli wrote: hello, pick up a dns server with bind9, is resolving claims, but it takes time to resolve a lot, sometimes throw timeout error and the second time resolved, any ideas? I pass below my named.conf, host.conf and nsswitch.conf *_DIG:_*

R: Bind DLZ and Postgres 8.4.8

Hello, everything is fine, i patched the source tree! Thank you, regards! Francesco Da: bind-users-bounces+job=colliniconsulting...@lists.isc.org [mailto:bind-users-bounces+job=colliniconsulting...@lists.isc.org] Per conto di Job Inviato: lunedì 3 ottobre 2011

Re: DNSSEC Signing & Key Questions

Played with OpenDNSSEC - and was a bit disappointed. Actually flew to Sweden and attended the course. It works - but acts like a black box - you don't have any finger-poking ability when things go wrong (for fun - we deleted a key out of the HSM - bad idea!) I don't like having to run everything D

Re: DNSSEC Signing & Key Questions

McConville, Kevin wrote: > > 1) Is there any way to have the zsk be auto-generated based upon the > inactive date listed in the zsk meta-data? Not yet, though I believe this feature is on the wish list. > 2) With a static zone, are the update-policy local and auto-dnssec > maintain options inv

Re: DNSSEC not populating parent zone files with DS records

Raymond Drew Walker wrote: > In testing, this pipe sets up the following for nsupdate which fails: Sorry, I forgot the TTL command. Adjust its value as you require... dig +noall +answer dnskey $child | dnssec-dsfromkey -f /dev/stdin $child | (echo "zone $parent"; echo "ttl 3600"; sed 's/^

Re: DNSSEC not populating parent zone files with DS records

On Tue, Oct 04, 2011 at 06:31:03PM +, Raymond Drew Walker wrote: > I have been unable to determine the correct method to add a DS record by > hand. The ultimate goal would be the automation of this process. Generate the DS record with dnssec-dsfromkey, cut and paste it into the zone file, the

DNSSEC Signing & Key Questions

I'm new to this list, so please bear with me if these are/seem like "newbie" questions. We are currently evaluating a DNSSEC implementation. We have several static zones that we would like to implement first. We are currently using ISC Bind 9.7.4 - In the test environment (1) Authoritative dn

some questions about BIND 9's xfrin.c code...

I've been looking at BIND 9's IXFR(-in) implementation and encountered a few questions. I was not sure if these should be considered a bug, so I'm asking these here before actually filing a bug report. The source file in question is lib/dns/xfrin.c. 1. In xfrin_recv_done(), if an RR is found in

Re: DNSSEC not populating parent zone files with DS records

-Original Message- From: Tony Finch Date: Mon, 3 Oct 2011 14:59:38 +0100 To: Michael Sinatra Cc: , , Raymond Walker Subject: Re: DNSSEC not populating parent zone files with DS records >Michael Sinatra wrote: >> >> There are ways of getting the DS records into the zone(s). Here are >

Re: Bind takes a long time to resolve requests

> > hello, pick up a dns server with bind9, is resolving claims, but it takes > time to resolve a lot, sometimes throw timeout error and the second time > resolved, any ideas? > I pass below my named.conf, host.conf and nsswitch.conf *DIG:* ; <<>> DiG 9.7.3 <<>> ;; global options: +cmd ;; Got a

Bind takes a long time to resolve requests

hello, pick up a dns server with bind9, is resolving claims, but it takes time to resolve a lot, sometimes throw timeout error and the second time resolved, any ideas? I pass below my named.conf, host.conf and nsswitch.conf from already thank you very much. Regards! __

Re: CNAME or A record?

Thank you so much people. you rock!. I have finally gone for two A records, but thanks to all of you I now understand the pros and cons. I apologise if I mislead you with the 'redirect' word, I really meant to say that I wanted both de the domain and the www host to point to the same ip. Cheers