[ Quoting at 04:07 on Mar 7 in "RE: fermat primes
an..." ]
> > I would recommend that dnssec-keygen starts ignoring the "-e" parameter
> > that everyone has put in their scripts to prevent exponent 3 keys, who are
> > not getting keys with exponent 4294967296 + 1 (F5)
>
> > Alternatively, if
dig +trace +qr +comment +question
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubs
> I would recommend that dnssec-keygen starts ignoring the "-e" parameter that
> everyone has put in their scripts to prevent exponent 3 keys, who are not
> getting keys with exponent 4294967296 + 1 (F5)
> Alternatively, if this is done on purpose, I guess we should all migrate the
> 64 bit mac
Hi, fellow BIND users.
The other day I was attempting to diagnose a problem on a recursive resolving
name server. I had just enabled DNSSEC Validation, and certain digs (such as
"www.isc.org", "www.dnssec-failed.org") were failing. Even queries to
non-signed domains such my own personal domai
Hi Evan,
That's true there is a case here. This way around it makes sense to have that
rndc call. Thanks for clearing this one up.
Cheers,
--
Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry Pty Ltd
Level 8, 10 Queens Road
Melbourne, Victoria, Australia, 3004
Phone +61 3 909
On Wed, Mar 07, 2012 at 10:33:24AM +1100, Wolfgang Nagele wrote:
> Nothing says so in the specs: http://tools.ietf.org/html/rfc5155#section-4
It does, actually: "The presence of an NSEC3PARAM RR at a zone apex
indicates that the specified parameters may be used by authoritative
servers to choose
Hi,
> NSEC3PARM is not supposed to be present in a unsigned zone. rndc doesn't
> add them to the zone. It tells the signing component to generate a NSEC3
> chain and when that is complete to add the NSEC3PARAM record.
Nothing says so in the specs: http://tools.ietf.org/html/rfc5155#section-4
Yo
In message <32660394-6c37-4268-9f36-1e73996dc...@ausregistry.com.au>, Wolfgang
Nagele writes:
> Hi,
>
> > NSEC3PARAM records should be generated by the signing software and
> > not just be added to the zone.
> Who says that? :) I think that is a matter of implementation and preference=
> .
>
>
In message , Wolfgang
Nagele writes:
> Hi,
>
> Ok that is already a bit better - at least saves a full sign with NSEC first.
> Wondering though, from a user perspective sending in NSEC3PARAM from the uns
> igned end seems like the most natural thing to do. Why complicate matters by
> having to
Hi,
> NSEC3PARAM records should be generated by the signing software and
> not just be added to the zone.
Who says that? :) I think that is a matter of implementation and preference.
> Their presence/absence changes how
> the zone is served. In particular how negative and wildcard responses
> ar
In message , Axel Rau writes:
>
> Am 06.03.2012 um 17:28 schrieb Evan Hunt:
>
> > However, whenever you do wish to change them,
> Yes.
> > you can do so with
> > 'rndc signing -nsec3param', and the chain will be updated automatically.
> I see.
> As named is looking periodically for appearing/dis
Hi,
Ok that is already a bit better - at least saves a full sign with NSEC first.
Wondering though, from a user perspective sending in NSEC3PARAM from the
unsigned end seems like the most natural thing to do. Why complicate matters by
having to use rndc here?
Cheers,
--
Wolfgang Nagele
Senior
See part of the dicsussion Miek and I had at the golang group:
http://code.google.com/p/go/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Status%20Stars%20Priority%20Owner%20Reporter%20Summary&groupby=&sort=&id=3161
The bug seems to be that dnssec-keygen upgraded the fermat prime that
is u
Aha.
Thank you Mark, and rob0, that should remedy it.
Appreciate your quick response(s.)
==Keith
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
htt
In message
, Keith Christian writes:
> Hello,
>
>
> Attempting to set up a small dns server purely for testing purposes,
> using a non-existent domain name.
>
> I have run into problems with my very simple setup, have tried
> changing multiple tokens in the config files, no success, but have
On Tue, Mar 06, 2012 at 01:09:34PM -0700, Keith Christian wrote:
> Attempting to set up a small dns server purely for testing
> purposes, using a non-existent domain name.
>
> I have run into problems with my very simple setup, have tried
> changing multiple tokens in the config files, no success
Hello,
Attempting to set up a small dns server purely for testing purposes,
using a non-existent domain name.
I have run into problems with my very simple setup, have tried
changing multiple tokens in the config files, no success, but have
found a few items:
- The zone file loads, and BIND sta
Hi,
> The remote zones have IPv6 servers and named believes your machine
> has IPv6 connectivity. It then attempts to connect to the remote
> servers and gets back a network error saying that it can't reach
> the remote machines.
>
> The long term fix is to request IPv6 connectivity from your ISP
On Tue, Mar 06, 2012 at 05:52:05PM +0100, Axel Rau wrote:
> As named is looking periodically for appearing/disappearing or changed
> keys in the key directory, I supposed it would notice changes of
> $INCLUDEd DS or NSEC3PARAM RR automagically and act upon.
>
> So my script has to do these 3 steps
Am 06.03.2012 um 17:28 schrieb Evan Hunt:
> However, whenever you do wish to change them,
Yes.
> you can do so with
> 'rndc signing -nsec3param', and the chain will be updated automatically.
I see.
As named is looking periodically for appearing/disappearing or changed keys in
the key directory,
> What is the proper format to write a DKIM TXT?
There seems to be quite a bit of information about this available via Google
search. Here's one reference I found that gives some step-by-step instructions:
Creating DKIM TXT Records in Linux/UNIX Bind
http://forum.unifiedemail.net/default.aspx?g=p
> So, I have to do this again, if the NSEC3PARAM changes (e.g. with a
> different salt during ZSK rollover)? Or does auto-dnssec maintain take
> care on the changed NSEC3PARAM?
I'm not sure I understand the question; there's no requirement that
you change the NSEC3 parameters during a key roll.
What is the proper format to write a DKIM TXT?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Am 06.03.2012 um 08:55 schrieb Evan Hunt:
> You should be able to use 'rndc signing -nsec3param' before the zone
> is signed. It's working for me:
>
>zone "example.nil" {
>type master;
>inline-signing yes;
>auto-dnssec maintain;
>file "example
24 matches
Mail list logo