Alan Batie wrote:
>
> That was my thought, but the tools complain about not having both...
[snip]
> Still working out which ones it thinks are missing, as both appear to be
> there - it would be nice if the tool was more specific...
If you are doing an algorithm rollover, you should have 2
On 3/3/20 8:59 AM, Tony Finch wrote:
> Alan Batie wrote:
>>
>> This is timely as I was about to ask if there's any reason to generate
>> SHA1 DNSKEY records? I should think that anything I care about can
>> handle SHA256 these days...
>
> There are extremely strong reasons for NOT generating
von Dein, Thomas wrote:
>
> we're seeing a lot of malformed dns queries to our recursive nameservers
> like these:
[snip queries for notification. / antivirusix. / kubeinspect. /
organization. / history. / go-kms. ]
> Obviously these clients (there are many) are misconfigured in some weird
>
Alan Batie wrote:
>
> This is timely as I was about to ask if there's any reason to generate
> SHA1 DNSKEY records? I should think that anything I care about can
> handle SHA256 these days...
There are extremely strong reasons for NOT generating SHA1 DNSKEY records!
You could set a global ratelimit for responses per IP, which is "high enough"
for normal use but blocking when they start misbehaving. Just remember to
change the size of the netmask used to block, I think the default is a /24 or
something.
I don't know what a sane level is for you though. We
Hello,
we're seeing a lot of malformed dns queries to our recursive nameservers like
these:
06:38:32.733678 IP client.59003 > nameserver2.53: 21974+ ? notification.
(30)
06:38:32.734079 IP nameserver2.53 > client.59003: 21974 NXDomain 0/1/0 (105)
06:38:33.216732 IP client.59003 >
6 matches
Mail list logo