Re: Dnssec setting resolving weird

On 30 Jan 2019, at 14:21, Ismael Suarez wrote: > This is puzzling me big time. Maybe I’m missing something obvious. Don’t know. There must be something in the logs? -- 'I don't see why everyone depends on me. I'm not dependable. Even I don't depend on me, and I'm me.’ _

DNSSEC setup hint

This may be obvious to everyone else, and it may be documented somewhere in large letters with circles and arrows, but it was a surprise to me. key-directory in named.conf refers to the location for the .private key files, the .key files need to go with the domain conf files. (At least if there

Refresh of the .signed DNSSEC file?

Based having update-policy local; auto-dnssec maintain; in the zone, when I make changed to example.com I was expecting that example.com.signed will be refreshed. This doesn’t seem to be happening. I just went through several domains and changed the serial number and removed an old subdomain (

Re: Refresh of the .signed DNSSEC file?

On 02 Feb 2019, at 06:34, Alan Clegg wrote: > when you make changes with "nsupdate -l", does the right thing happen? Hmm. I don’t know, I’ve never done that. Trundles off to read the nsupdate man page. -- W is for WINNIE embedded in ice X is for XERXES devoured by mice ___

incorrect section name: $ORIGIN

Here is a domain zone file for example.com which is hosted by covisp.net: $ORIGIN . $TTL 86400 ; 1 day example.com. IN SOA ns1.covisp.net. admin.example.com. ( 2019020100 ; serial 300; refresh (5 minutes)

Re: incorrect section name: $ORIGIN

On 4 Feb 2019, at 05:34, Tony Finch wrote: > nsupdate doesn't take zone files as input; OK, then how do I get Bind9.122 to update the .signed files? -- Can't seem to face up to the facts Tense and nervous and I can't relax Can't sleep, bed's on fire Don't touch me I'm a real live wire __

Re: incorrect section name: $ORIGIN

> On 5 Feb 2019, at 04:57, Tony Finch wrote: > > @lbutlr wrote: >> >> OK, then how do I get Bind9.122 to update the .signed files? > > Did you see my previous message? I did not, sorry. > https://lists.isc.org/pipermail/bind-users/2019-February/101335.html

Re: Freeze/thaw and signed zone files

>> OK, but rndc flush example.com results in: >> rndc: 'flush' failed: not found > > *FACEpalm* > > I'm sorry. I gave you the wrong command. You want "sync", not "flush". My > brain always thinks "flush the journal to disk" when it's really supposed to > be "sync the journal to disk". You c

Re: Freeze/thaw and signed zone files

I did try manually updating vi nsupdate -l > zone example.com > update add example.com. 86400 IN SOA ns1.example.net. admin.example.com. > 2019022200 3600 300 1209600 3600 > update add konamicode.example.com. 86400 IN CNAME www.example.com. > send ; Communication with ::1#53 failed: ti

Re: Freeze/thaw and signed zone files

On 22 Feb 2019, at 12:12, Tony Finch wrote: > Get it from the link above, if you want :-) Doh! OK, got it, installed it, changed the path to perl, and that’s pretty slick. -- "I don't think the kind of friends I'd have would care.” ___ Please visit

Re: Freeze/thaw and signed zone files

On 22 Feb 2019, at 12:28, @lbutlr wrote: > ; Communication with ::1#53 failed: timed out I am still getting this error whenever I try to make a change in the zone with nsupdate -l, should I not worry about it? I mean, the records appear to be updating… 🤷🏼‍♀️ -- First we must assum

Re: Freeze/thaw and signed zone files

On 23 Feb 2019, at 14:45, Mark Andrews wrote: > On IPv6 why wouldn’t you support it? Our ISP does not support it. We get 5 static IPv4 addresses and no IPv6 at all. -- Critics look at actresses one of two ways: you're either bankable or boinkable. __

Re: allow-update in global options (was Re: bind and certbot with dns-challenge)

On 17 Mar 2019, at 15:52, Grant Taylor via bind-users wrote: > If the consensus is that the new behavior is desired, I would hope ~> expect > for a survey of the BIND user community like I've seen in the past about > removing / significantly altering functionality. I disagree. I'd prefer the b

Re: max file size or line count for BIND zone file

On 25 Apr 2019, at 06:10, Martin Meadows via bind-users wrote: > > ns ms,sans-serif">Wondering if anyone is aware of a max file size or max nu= > mber of lines that a given BIND zone file can contain?=C2=A0 s=3D"gmail_default" style=3D"font-family:comic sans ms,sans-serif"> v> f">Thanks, s ms,s

Re: Bind > 9.12 Will Not Start On FreeBSD

On 27 Apr 2019, at 16:21, Tim Daneliuk wrote: > Why is 9.12+ now suddenly so grumpy about who owns the files? Is this a > recent fix to reduce the attack surface on files owned by root? Pretty sure. I thought it was mentioned in the 9.12 release notes, but now I can't find it. -- One of the

Updating to 9.14

Currently running latest release of Bind 9.12, which is now EOLed and want to move to 9.14. I was looking on google for update "bind9.12" "bind 9.14" But did not find anything of use. I did find the 9.14 announcement, but there isn't a link there to release notes. I know there has been at leas

nsupdate reject

Trying to update some DNS under a relatively newly installed bin 9.14 with nsupdate. I have a file admin.key that looks basically like this: key "rndc-key" { algorithm hmac-sha256; secret "SECRETSTUFF="; }; This is the same key block that is in named.conf. I am launching NSLOOKUP

Re: nsupdate reject

On 19 May 2019, at 18:27, @lbutlr wrote: > This is the same key block that is in named.conf. I am launching NSLOOKUP > with -k admin.key, but when I try to make a change and then "send", I get > "update failed: REFUSED." I found a page that recommended adding a dd

Re: nsupdate reject

On 20 May 2019, at 16:21, Noel Butler wrote: >allow-update { key "keyname"; }; Ah, no I did not. The instructions I found, as I mentioned in a later post, were to add grant dons-key. iOS this a change in 9.14, because I did not have to do this in 9.12? > and nsLOOKUP ? Just a thinko.

Re: nsupdate reject

On 20 May 2019, at 20:45, @lbutlr wrote: > > On 20 May 2019, at 16:21, Noel Butler wrote: >> allow-update { key "keyname"; }; > > Ah, no I did not. The instructions I found, as I mentioned in a later post, > were to add grant dons-key. iOS this a change

Re: Should we remove the DLV code?

On 22 May 2019, at 23:31, Evan Hunt wrote: > One possible reason is distribution of trust anchors for a private corporate > domain. Aren't there better days to do this? Or at least other ways to do this? Anything to make bind leaner and meaner and with fewer LOCs seems like a plus to me. --

Re: A policy for removing named.conf options.

On 13 Jun2019, at 17:48, Browne, Stuart via bind-users wrote: > For options that have passed their warning phase and have been removed, I'm > all for BIND failing to start and named-checkconf erroring out , rather than > quietly ignoring them. Yes, I think this is the best way, otherwise there

Bind and HTTPS?

Is it possible to setup bind to use DOH (FNS over HTTPS) rather than unencrypted DNS lookups? Our in addition to? -- 'An appointment is an engagement to see someone, while a morningstar is a large lump of metal used for viciously crushing skulls. It is important not to confuse the two.’ _

Re: Bind and HTTPS?

On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users wrote: > On 11/7/2019 15:35, Tony Finch wrote: >> Lefteris Tsintjelis via bind-users wrote: >>> >>> Why would you want something like that? >> https://datatracker.ietf.org/wg/dprive/about/ > > If you are willing to sacrifice speed.

Re: set bind-users mail

On 13 Feb 2020, at 08:56, Ward, Mike S wrote: > > set bind-users mail > == This email, and any files transmitted with it, is > confidential and intended solely for the use of the individual or entity to > which it is addressed. > If you

Re: Advice on balancing web traffic using geoip ACls

On 23 Feb 2020, at 07:57, @lbutlr wrote: > (9.11.6 should be coming really soon) 9.11.16, and I appear to be behind a touch, it is already released. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this l

Nsupdate and TTL

What is the proper syntax gor changing the TTL on a zone with nsupdate? Does the existence of $TTL 86400 in the domain.conf file override nssupdate’s attempts to change the TTL? # nsupdate -k /path/to/key > zone example.com > ttl 3600 > send > ^d No errors, but no change in the TTL. -- "I k

unknown option 'trust-anchors'

In named.conf I have dnssec-enable yes; dnssec-validation auto; # rndc managed-keys status view: _default next scheduled event: Sun, 05 Jul 2020 20:43:00 GMT name: . keyid: 20326 algorithm: RSASHA256 flags: SEP next refresh: Sun, 05 Jul 2020 20:43:

Dnssec delegation NS RRset

I am getting the following warning: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the com zone): (a DNS server) The DNS server exists and is used by other domains, so This is something specific to this one domain and not to the D

Dnssec-policy Purge-keys

Doe anyone know the syntax for using purge-keys in 9.16.13? I've search and all I can find is notes that it was added. I've tried a couple of things, but I am shooting in the dark. I cannot redefine the "default" policy as that gives and error and simply putting "purge-keys P90D;" or "dnssec-pol

Re: Any interest in a write-up showing how to configure BIND 9.17x with DoH and LetsEncrypt?

On 30 May 2021, at 12:23, Grant Taylor via bind-users wrote: > On 5/30/21 9:24 AM, Richard T.A. Neal wrote: >> I spent a little time this weekend setting-up BIND 9.17.13 on Ubuntu 21.04 >> and configuring the system as a recursive resolver offering DNS over HTTPS >> using a LetsEncrypt certific

A record for @?

I have a domain that I hot DNS and email for, but not web. I set the A record for www.example.com to the IP of the web server with nsupdate, removing the old CNAME the pointed to the local webserver, but the web monkey for the new website is saying that www has to be a CNAME and the @ record sho

Signatures expired?

In the process of setting u a new domain I noticed that some existing domains are logging and error into /var/log/messages domain.tld.signed:120: signature has expired Each domain that is expired shows the same :120 The lines in question do refer to old ALG-7 signatures but shouldn’t those go

Freeze/thaw and signed zone files

I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw. In var/log.messages I get zone serial (2019020105) unchanged. zone may fail to transfer to slaves. which is the previous serial number. So, I

Re: Freeze/thaw and signed zone files

> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users > wrote: > > On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote: >> I edited a zone file after issuing a rndc freeze command, added two new sub >> zones, changed the serial number, saved the file, and then

Re: Freeze/thaw and signed zone files

On 21 Feb 2019, at 18:28, @lbutlr wrote: > Is the original random key that was generated at the time of signing kept > somewhere? NSEC3 seems to contain a 16 character hex sting that recurs > throughout the file. OK, I moved aside the signed file, resigned the domain using the 16

Re: Freeze/thaw and signed zone files

On 21 Feb 2019, at 20:43, Grant Taylor via bind-users wrote: > > On 2/21/19 6:28 PM, @lbutlr wrote: >> rndc reload did not recreate (or at least update the time stamp) on the >> .signed file. > > Hum. Maybe it's something different about how you're doing

Re: Freeze/thaw and signed zone files

On 22 Feb 2019, at 09:54, Tony Finch wrote: > You might want a config like > > zone "example.com" { > type master; > file "master/example.com”; Not example.com.signed? > update-policy local; > auto-dnssec maintain; > in

<    1   2