> May I transfer *views* rather than zone description files?
No. That's why it is called "zone" transfer. :)
> May I transfer two zone description files for a single zone to a
> single server?
Again no. (See previous thread on your request to serve two zone files
for the same zone in the one vi
:-)
I have defined two views (let's call them an `internal' and an
`external') for my zones on the primary DNS server. Let's assume I'd
like the secondary DNS server to use the same two views synchronized to
the primary DNS. May I transfer *views* rather than zone description
files? May I transfer
> The documentation for `match-clients' isn't comprehensive enough... Can
> I add all host from, for example 172.16/16 except a single host? Does:
>
> match-clients { 172.16.0.0/16;!172.16.1.1; }
BIND checks the ACL in the order you specify. In your example,
172.16.1.1 will be allowed by the firs
On 11/24/2011 11:21 AM, Jan-Piet Mens wrote:
> Jeffry,
>
>> I have had a tendency to dig axfr from my Windows workstation
>
> +1 to you for using `dig' on Windows; most don't even know it exists
> and suffer the `nslookup' pain. ;-)
>
It comes with the Windows version of BIND9.
Danny
_
On 25/11/2011 23:36, Marek Kozlowski wrote:
> One more question:
> The documentation for `match-clients' isn't comprehensive enough... Can
> I add all host from, for example 172.16/16 except a single host? Does:
>
> match-clients { 172.16.0.0/16;!172.16.1.1; }
List the exception first, otherwise
:-)
One more question:
The documentation for `match-clients' isn't comprehensive enough... Can
I add all host from, for example 172.16/16 except a single host? Does:
match-clients { 172.16.0.0/16;!172.16.1.1; }
form an AND or an OR?
Best regards,
/m
_
On 25/11/2011 16:59, Marek Kozlowski wrote:
> Is it allowed to use a few `zone' clauses for a single domain? Is
> something like this correct:
>
> zone "mickey.mouse.com" in {
> type master;
> file "pri/mickey-public.zone";
> allow-query { any; };
> allow-transfer {
> I looked at the DNSSEC section of the bind test suite
> (bind-9.9.0b2/bin/tests/system/dnssec) to see if a key rollover test is
> part of it. I didn't see that, but it may be elsewhere, as the test suite
> is pretty elaborate. The test suite does contain a simulated root server
> (ns1), so I bet
> Does anyone provide a zone with a trust anchor that is frequently rolled
over in that way, just so that one can see whether it really works? Then
one's feelings might be warmer and less fuzzy...
I looked at the DNSSEC section of the bind test suite
(bind-9.9.0b2/bin/tests/system/dnssec) to see
> given that their respective administrators have
> declared an intention to follow RFC 5011 if they ever roll over their
> KSKs.
As you say "if they ever roll"; I'm not placing any money on that. ;-)
> I could of course set up such a test zone and try to perform an RFC 5011
> rollover on it, usi
Using "managed-keys" for the root zone and for dlv.isc.org can give one
a warm fuzzy feeling, given that their respective administrators have
declared an intention to follow RFC 5011 if they ever roll over their
KSKs.
Except, they never have changed their KSKs so far, so the relevant code
in BIND
> Do I *have* to use views to deal with such distinction or can I specify
> it just as above without views?
You have to use views so that the server can decide which clients get
which responses. This you specify in a match-clients {} stanza within
the view.
-JP
__
> Is it possible to update DNSSEC-signed domain, re-sign and generate
> small differencies to be transferred by IXFR?
>
> Does it apply with dynamic updates, and with manually configur4ed
> zones (via ixfr-from-differencies turned on)?
It works fine with dynamic updates, and as of 9.9.0 it will
On Fri, Nov 25, 2011 at 11:59 AM, Marek Kozlowski
wrote:
> Do I *have* to use views to deal with such distinction or can I specify
> it just as above without views?
Pretty sure you have to use views, in the least doing so would likely
be the best good practice to follow.
--
aRDy Music and Ric
:-)
Forgive me a stupid question but I can't find the answer...
Is it allowed to use a few `zone' clauses for a single domain? Is
something like this correct:
zone "mickey.mouse.com" in {
type master;
file "pri/mickey-public.zone";
allow-query { any; };
allow-trans
On 11/25/2011 03:19 PM, Tony Finch wrote:
> Bryton wrote:
>> I wonder if anyone has ever got the error
> In my logs I have some of this:
>
> 25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX:
> bad cache hit (uofk.edu/DNSKEY)
>
> Which is fairly nicely explained by this:
Bryton wrote:
>
> I wonder if anyone has ever got the error
In my logs I have some of this:
25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: bad
cache hit (uofk.edu/DNSKEY)
Which is fairly nicely explained by this:
http://dnsviz.net/d/uofk.edu/dnssec/
Tony.
--
f.a
Matus UHLAR - fantomas wrote:
>
> Is it possible to update DNSSEC-signed domain, re-sign and generate small
> differencies to be transferred by IXFR?
Yes, it just works with no special effort if you use dynamic updates and
auto-dnssec maintain.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Sou
Hi,
I am having a problem,
I am signing a zone with opendnssec,
After signing it seems fine and
If issue a
*dig @[dnssec-aware-recursive-server] [zone] +dnssec SOA*
from this [*dnssec-aware-recursive-server*]
And the answer is returned with RRSIGS and ad bit
But after some time if I issue a
On 11/25/2011 00:38, Matus UHLAR - fantomas wrote:
> not mentioning new features (mostly DNSSEC related) that new servers have.
The OP explicitly excluded DNSSEC, but, yeah. :)
--
"We could put the whole Internet into a book."
"Too practical."
Breadth o
Hello,
Just for my curiosity:
Is it possible to update DNSSEC-signed domain, re-sign and generate
small differencies to be transferred by IXFR?
Does it apply with dynamic updates, and with manually configur4ed
zones (via ixfr-from-differencies turned on)?
OT: if anyone uses opendnssec, doe
On 11/24/2011 20:10, Loganathan Thirukkumaran wrote:
Master is in internal running on Bind 9.2.1,
On 25.11.11 00:14, Doug Barton wrote:
You want to update this one as well. I know that the theory is that it's
"hidden," but the first time an attacker finds it, it's going to get 0wn3d.
not me
On 11/24/2011 20:10, Loganathan Thirukkumaran wrote:
> Hello All,
>
> We have our slave servers running compiled Bind 9.6.1-P3 on CentOS 5.4.
>
> Can I upgrade to 9.8.1-P1 directly from the current version 9.6.1-P3?
> Or It has to be on the same 9.6.ESV-R5-P1 latest version?
Should be Ok unl
23 matches
Mail list logo
