Re: Inline signing fails dnsviz test.

Okay, so I added the policy, and things MOSTLY look okay. But when I retake the verification test, I get errors about no RRSIGs found. What do I do to resolve that issue? On 5/10/2021 12:38 PM, Tony Finch wrote: Dan Egli wrote: Still not working for me. The dig doesn't report anything, and

Re: Inline signing fails dnsviz test.

Dan Egli wrote: > > Still not working for me. The dig doesn't report anything, and I don't HAVE a > keyfile since i'm using inline signing. Or does inline signing still require a > key to be generated? Yes, you need to do your own key management with inline-signing using dnssec-keygen. The new

Re: Inline signing fails dnsviz test.

On 5/10/2021 12:17 PM, Tony Finch wrote: Dan Egli wrote: Where do I get the DS record, since i'm using bind's inline signing? Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the KSK file) $ grep This Kcam.ac.uk.+013+32840.key ; This is a key-signing key,

Re: where are the testing docs ?

And I am saying all of this is a definition of off-topic, so please be nice to each other and stay on topic. Dennis, we are going to accept a MR that would fix your case and not break anything else. You can either submit patch inline in the issue or you can ask and I can permit forking the

Re: where are the testing docs ?

Actually, it's in keeping with the *original* definition of hacking! On Sun, 9 May 2021 23:55:13 -0600 @lbutlr wrote: > On 06 May 2021, at 09:57, Dennis Clarke via bind-users > wrote: > > I do NOT trust a build result where I had to go hacking into all the > > Makefiles just to get it to

Re: Inline signing fails dnsviz test.

Dan Egli wrote: > > Where do I get the DS record, since i'm using bind's inline signing? Use the dnssec-dsfromkey tool, e.g. from a key file (make sure it's the KSK file) $ grep This Kcam.ac.uk.+013+32840.key ; This is a key-signing key, keyid 32840, for cam.ac.uk. $

Re: Inline signing fails dnsviz test.

They do, and I had forgotten that. But I don't know where to get the DS record I'd place. I tried querying bind, but all I got back was someone's SOA record: ; <<>> DiG 9.16.12 <<>> @localhost ds eglifamily.name ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode:

Re: where are the testing docs ?

On 5/10/21 01:55, @lbutlr wrote: > On 06 May 2021, at 09:57, Dennis Clarke via bind-users > wrote: >> I do NOT trust a build result where I had to go hacking into all the >> Makefiles just to get it to build. You install without doing testing? > > That's a very strange definition of "hacking".

Re: Update DNSSEC Zone

Peter Fraser wrote: > > I am using bind-9.14.x and here are the DNSSEC related entries in the zone. > > auto-dnssec maintain; > update-policy local; > key-directory “zones/domain-keys”; How you go about this depends on whether your configuration enables `inline-signing` or not. If it has

Re: Inline signing fails dnsviz test.

Hello Dan. Does your registrar have the ability via a UI to place a DS record in the .name zone? And if so, have you done that already? John Sent from Nine From: Dan Egli Sent: Monday, May 10, 2021 12:20 AM To:

Re: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

> On 10. 5. 2021, at 10:29, Richard T.A. Neal wrote: > > At this time I don't therefore believe that running BIND via WSL or WSL2 on > Windows Server is a viable reliable solution. Thanks for the analysis. The alternative is as I outlined in the first email, somebody needs to step up and

RE: Deprecating BIND 9.18+ on Windows (or making it community improved and supported)

I spent some time last week looking at options for running BIND under WSL on Windows Server. Unfortunately it doesn't presently look like a viable solution for the following reasons: There are two versions of WSL: WSL1 and WSL2. Development has all but ceased on WSL1, but WSL1 is the only