Re: bind 9.16 vs. 9.14 tcp client connections

2020-03-05 Thread Michael McNally
On 3/5/20 4:34 AM, Ondřej Surý wrote: >> On 5 Mar 2020, at 10:11, Arsen STASIC wrote: >> >> Hi, >> >> Bind 9.16 was installed on 3/2 15:45 and tcp connections ramped up to >> maximum: >> rndc status | grep -i tcp >> tcp clients: 102/150 >> TCP high-water: 150 >> >> Switching back to bind 9.

Re: Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)

2020-03-05 Thread Alan Batie
On 3/5/20 5:26 AM, Tony Finch wrote: > I think those errors from dnssec-verify look to me like you have an > RSASHA256 KSK and an RSASHA1 ZSK. Your key files should all have names > like K*+008+* not K*+005+*. In older versions of BIND it's easy to > accidentally get a bad key by forgetting the -a

DNS log reference

2020-03-05 Thread Chris Isaksen
Does anyone know of a good log file reference for each of the logs bind produces? Specifically the log format (columns etc) and the meaning of each log type and messages? Thanks Confidentiality Notice This email including all attachments is confidential and intended solely for the use of

Re: Bind 9.11.13 - inline re-signing stops

2020-03-05 Thread Matthew Richardson
Firstly a big thank you to Mark and Ondrej for their assistance, which tracked down the issue. I understand will be fixed in the next releases. My particular issue seemed to relate to the unsigned zonefiles being touched (by my automation) without the contents changing, followed by an "rndc reloa

Re: bind 9.16 vs. 9.14 tcp client connections

2020-03-05 Thread Ondřej Surý
Hi Arsen, we think you are hitting a problem that was reported to us earlier. Since it has been now circulated on the bind-users, we made the merge request public: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3163 and patch: https://gitlab.isc.org/isc-projects/bind9/-/merge_reque

Re: Changes BIND 9.15+ source distribution (gz -> xz, and SHA1 deprecation)

2020-03-05 Thread Tony Finch
Alan Batie wrote: > > I'm letting named do the automatic signing/generation of RRSIG records, > but unless I'm missing something, you still have to generate the DNSKEY > records manually. dnssec-verify is the tool in question complaining > about not including RSASHA1 keys and signatures. Oh whoo

AW: Unable to completely transfer root zone

2020-03-05 Thread von Dein, Thomas
Hello, I finally changed the config to type hint. However, now I still have the problem of keeping it up to date, right? Would a monthly cronjob suffice? Tom -Ursprüngliche Nachricht- Von: bind-users Im Auftrag von Tony Finch Gesendet: Freitag, 14. Februar 2020 13:47 An: bind-users@li

bind 9.16 vs. 9.14 tcp client connections

2020-03-05 Thread Arsen STASIC
Hi, Bind 9.16 was installed on 3/2 15:45 and tcp connections ramped up to maximum: rndc status | grep -i tcp tcp clients: 102/150 TCP high-water: 150 Switching back to bind 9.14 on 3/4 15:45 shows "normal" tcp client behavior: rndc status | grep -i tcp tcp clients: 29/150 TCP h