|Try these four
|
|
|
|fail01.dnssec.works|
|fail02.dnssec.works|
|fail03.dnssec.works|
|fail04.dnssec.works|
and then with +cd and note the difference;
On 28.04.2024 08:17, Walter H. via bind-users wrote:
On 27.04.2024 16:54, Lee wrote:
On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind
dear admin:
now, i use bind-9.18-21, i want to use ecs client subnet function; but i
don't know how to configure it, and i don't get method from google
please give me some example,or document , or google links to learn about
it ;
thanks!
Yang
395096...@qq.com--
Visit https
On 27.04.2024 16:54, Lee wrote:
On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users
wrote:
# host dnssec-analyzer.verisignlabs.com
dnssec-analyzer.verisignlabs.com is an alias for
dnssec-analyzer-gslb.verisignlabs.com.
dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42
& this in the bind errors_log file:
$ grep dnssec-analyzer.verisignlabs.com named-errors.log | tail -1
26-Apr-2024 19:28:37.600 query-errors: info: client @0x7f384488e3c0
127.0.0.1#47121 (dnssec-analyzer.verisignlabs.com): query failed
(failure) for dnssec-analyzer.verisignlabs.com/IN/ at que
advertises itself as authoritative
> for 85.191.131.in-addr.arpa
Yep. Both of the resolveable NSes ns102.click-network.com and
fs838.click-network.com claim authority over 191.131.in-addr.arpa,
which they don't have according to the parent zone DNS delegations.
Regards,
- Håvard
--
address for 'ns102.click-network.com': not found
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users
Hi.
In BIND, since 9.11, there is an option/view statement called
"minimal-any", which defaults to "no". That might be what you're after.
Cheers, Greg
On Sat, 20 Apr 2024 at 17:29, Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wrote:
> Hello everyone,
&
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
On 17/04/2024 11:41, John Thurston wrote:
I'm seeing strange behavior with a BIND 9.18.24 resolver and
dnssec-failed.org.
With no dnssec-validation line (or with "dnssec-validation auto") in
the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as
expected . . until
Hi Crist.
Firstly, DNS servers do not make recursive queries, unless they have been
configured to forward.
Secondly, please start a packet capture on your server (save to disc, so
you can analyse it later in Wireshark) then start BIND and make some test
queries to your server. Look at what your
queries
Hope that helps.
Greg
On Thu, 28 Mar 2024 at 06:15, Crist Clark wrote:
> I am upgrading and redeploying some authoritative-only BIND servers. Two
> questions about some fine points:
>
> What to set 'dnssec-validation'? Just let it default to 'auto?' There is
> no need or
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Jan
> Schaumann via bind-users
> Gesendet: Dienstag, 26. März 2024 14:44
> An: bind-users@lists.isc.org
> Betreff: Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records
>
> Karl Auer
Es.
Fortunately, nowadays we have a proper solution for
this problem (which -- bringing it back on-topic :-)
-- bind supports): SVCB / HTTPS records (RFC9460).
However, adoption of those records is still lacking,
with clients behaving inconsistently and services not
offering them widely yet.
-Jan
--
ve, it still receives updates from the master. The
> transfer on the master is as follows:
>
> allow-transfer {192.168.56.157;};
>
> also-notify {192.168.56.157;};
>
> notify explicit;"
>
>
>
> PS. BIND version : 9.16.48
>
>
>
> Regards Sami
>
> Orange
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Arsen
> STASIC
> Gesendet: Donnerstag, 21. März 2024 08:47
> An: Petr Špaček
> Cc: bind-users@lists.isc.org
> Betreff: Re: Crafting a NOTIFY message from the command line?
>
> * Petr Špače
in my virtual environment? I think I know how DNSSEC
> works, but if you also have any clarification to offer, I'd be delighted to
> hear from you. My BIND server runs on an Ubuntu22.04 Jammy Jellyfish VM.
>
> Thanks in advance for your help.
> --
> Visit https://lists.isc.org
"|
I couldn't help noticing that when you ran dnssec-dsfromkey you
referenced this directory: /usr/home/dns/Fixed
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact u
the "forwarders" statement because "sub.example.com <http://sub.example.com>" has been delegated away.
- Do you really want to be forwarding to your hidden primary anyway?
- Why are two different servers both authoritative for
"100.168.192.in-addr.arpa"? That's asking
statement because "
sub.example.com" has been delegated away.
- Do you really want to be forwarding to your hidden primary anyway?
- Why are two different servers both authoritative for
"100.168.192.in-addr.arpa"? That's asking for trouble.
Hope that helps.
Greg
On M
work. I have a feeling the forwarding
only works specific zones. and you can't combine two of the same
"names" into one. Am I correct and in order for PTR records to work I
need to get them into a single file?
--
Taavi Ansper
taavi.ans...@cyber.ee
--
Visit https://lists.isc
e "example.com" zone.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
atter of combining them.
On Fri, 1 Mar 2024 at 21:11, Nick Tait via bind-users <
bind-users@lists.isc.org> wrote:
> On 02/03/2024 03:42, Mike Mitchell via bind-users wrote:
>
> Our networking team is in the habit of entering the IP address of every
> network interface o
On 02/03/2024 03:42, Mike Mitchell via bind-users wrote:
Our networking team is in the habit of entering the IP address of every
network interface on a router under one name. The very first address
entry is their out-of-band management interface. "rrset-order fixed" is
used on th
ctions take too long and there
must be a network error.
Mike Mitchell
-Original Message-
From: bind-users On Behalf Of Ondrej Surý
Sent: Thursday, February 29, 2024 4:40 PM
To: BIND Users Mailing List
Subject: fixed rrset ordering - is this still a thing?
EXTERNAL
Hey,
BIND 9 supports a
e and load to consider. Might your tweaked responses just
> send clients to a nearby but tragically overloaded server?
>
> My preference would be to let those people whose job it is to think
> about this stuff - which, reading this list, clearly they do - get on
> with their job.
>
On Fri, Mar 1, 2024 at 12:38 AM Matt Nordhoff wrote:
> On Thu, Feb 29, 2024 at 9:40 PM Ondřej Surý wrote:
> > Hey,
> >
> > BIND 9 supports a fixed rrset ordering (that is keeping the order of the
> > RRSets from the zone file). It has to be configured
> > a
On Thu, Feb 29, 2024 at 9:40 PM Ondřej Surý wrote:
> Hey,
>
> BIND 9 supports a fixed rrset ordering (that is keeping the order of the
> RRSets from the zone file). It has to be configured
> at the compile time, it takes more memory (to record that order) and it's a
> #ifdef a
ufacturers are available), match all port 53, set DSCP to an
appropriate value for *your* network and prioritise/police as appropriate
in the core.
Cheers, Greg
On Thu, 29 Feb 2024 at 09:00, Wolfgang Riedel via bind-users <
bind-users@lists.isc.org> wrote:
> Hi Folks,
>
> OK let
ps://docs.libuv.org/en/v1.x/udp.html
>
> On 28. 02. 24 13:50, Balazs Hinel (Nokia) via bind-users wrote:
>> Hi,
>> I am working on a product in Nokia, and we currently use BIND provided by
>> Rocky Linux 8 with security patches. Recently the requirement came that we
>&
Hi,
I am working on a product in Nokia, and we currently use BIND provided by Rocky
Linux 8 with security patches. Recently the requirement came that we should
upgrade to at least 9.16. During the testing of this version we realized that a
feature we used, DSCP, has stopped working. Reading
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Carsten
...
> It would be nice to have a "dry-run" mode in BIND 9, where BIND 9 would
> report steps it would do because of "dnssec-policy", but will not execute the
> changes.
If this Bind
Hi Ondřej,
> On 27. Feb 2024, at 16:43, Ondřej Surý wrote:
>
> Carsten, could you please fill a feature request in the GitLab?
Done, #4606.
Greetings
Carsten
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the de
Hi Jim,
> On 27. Feb 2024, at 16:39, Jim P. via bind-users
> wrote:
>
> There should also be an option to display the current configuration in
> specific detail to easily create a new KASP (side question: why does DNS
> need a new acronym?)
The term “KASP” for “Key-and-s
On Tue, 2024-02-27 at 16:06 +0100, Carsten Strotmann via bind-users
wrote:
> It would be nice to have a "dry-run" mode in BIND 9, where BIND 9
> would report steps it would do because of "dnssec-policy", but will
> not execute the changes.
**This** ^^^
There should
ches the current keys, but they
haven't (for one reason or other, it happens for me, despite working a lot with
DNSSEC and BIND 9).
It would be nice to have a "dry-run" mode in BIND 9, where BIND 9 would report
steps it would do because of "dnssec-policy", but will not execut
On 27/02/2024 13:22, Michael Sinatra wrote:
On 2/26/24 13:41, Al Whaley wrote:
Originally (under the above command) RR records for DNSSEC were
maintained by bind, but the ZSK and KSK keys were maintained by me.
This command is being discarded. I understand that bind "sort of"
: It has an
algorithm 13 DS record, is correctly signed with algorithm 13, but is
also signed using algorithm 8 with signatures that expired a year
ago(!).
<https://dnsviz.net/d/paste.debian.net/ZczXYw/dnssec/>
Other resolvers, and older versions of BIND, ignore the bad/irrelevant
signatures a
Hello,
I configured Bind 9.18.12 as slave DDNS with dynamic updates from DHCP (ISC
DHCP 4.4)
running on the same server (Ubuntu 22.04 server)
When I run "named-checkconf named.conf", I get the following error
"named.conf:2018: option 'allow-update' is not allowed
n/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
marcodavids | Matrix: @marco:sidnlabs.nl
Nostr: 11ed01ff277d94705c2931867b8d900d8bacce6f27aaf7440ce98bb50e02fb34
OpenPGP_signature.asc
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this softwa
is some
kind of windows server.
Is this something to worry about? This kind of logging popped up since
upgrading the secondary to 9.18.24.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
: bind-users On Behalf Of Andy Smith
Sent: Tuesday, February 13, 2024 6:46 AM
To: bind-users@lists.isc.org
Subject: Re: Answers from subzone even when superzone has a delegation elsewhere
[You don't often get email from a...@strugglers.net. Learn why this is
important at https://aka.ms
Andy, You do also have the A record glue for elsewhere.example.com in the
example.com zone, right? Just checking.
Don Friesen
-Original Message-
From: bind-users On Behalf Of Andy Smith
Sent: Tuesday, February 13, 2024 6:23 AM
To: bind-users@lists.isc.org
Subject: Answers from
Hello,
How can I configure BIND9 to reply to requests from DNS-over-HTTPS with
view A, and if the requests is from normal DNS on port 53, reply with
view B?
Example:
client 192.168.1.5 requests A record test.example.com with DNS over
HTTPS, BIND should reply with view A
client 192.168.1.5
* Tim Daneliuk via bind-users:
> But it did "provoke" a question. Does anyone think not restarting
> *anything* for 10 years is a good idea?
This isn't really BIND-related, so a different mailing list might be
better suited for discussing the issue of ultra high avail
ou patch and restart monthly at a minimum and more often for
zero-days and more immediate threats. I would include among this the OS itself
as well as key infrastructure services.
Oh, and for the record, I think ISC does a very fine job ;)
--
Visit https://lists.isc.org/mailman/listinfo/bind-
ot; wrote:
Jordan Larson via bind-users wrote:
> Was I wrong to enable “inline-signing yes” for my slave zones? I would assume
> each slave would need its own DS key? Can I do that?
That sounds very wrong. Your zone shall have one DNSsec key, or set of
keys, that is the same on all slave servers
- there should now be some CDS records, or at
least one. This should become the DS record in the Parent zone.
Try and update the BIND software on all your servers to something that
is supported by the community. There is no time delay required for this,
just do it. (I've read the other comments
t; and acls
> are identical as yours seem to be. I've been told that internally they are
> very
> different and handled differently, so I had to duplicate my work (yes,
> they're
> copy+paste for me) :-(
>
> Best,
> Elmar.
>
>
> --
> Visit https://lists.isc
Thanks for the recommendation. I will step up to the latest 9.16.X and then
9.18.X and then reassess.
Is there any period I should wait between 9.16 and the 9.18 update?
Thanks!
From: Ondřej Surý
Date: Thursday, February 8, 2024 at 2:18 PM
To: Jordan Larson
Cc: bind-users@lists.isc.org
? If so I can do that but I was
attempting to sort my issues before I attempt an upgrade.
Thanks!
Jordan
From: Ondřej Surý
Date: Thursday, February 8, 2024 at 2:03 PM
To: Jordan Larson
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC setup for stealth master and multi slave/recursive -
Multiple
Greetings!
I have what is hopefully a simple question regarding proper setup around DNS. I
feel somewhat comfortable navigating around BIND but possibly am getting
confused around the DNSSEC portion.
This is for an internally facing DNS, not exposed to the internet.
High level setup
Hi,
How hard would it be to let named-compilezone keep any remarks that are
present in the source file? Because now it strips them and that is
problematic.
--
Marco
OpenPGP_signature.asc
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
Dear Greg,
Björn Persson gave a reply with seems satisfying.
With dig +norecurse I always get "AUTHORITY: 1".
For the sake of comprehensiveness, please find attached the files you asked for.
De : "Greg Choules"
A : pub.dieme...@laposte.net,ma...@isc.org,bind
lags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> *Why AUTHORITY: 0 and not AUTHORITY: 1 ???*
>
> De : "Greg Choules"
> A : pub.dieme...@laposte.net,bind-users@lists.isc.org
> Envoyé: lundi 15 Janvier 2024 18:27
> Objet : Re: Question about authoritative se
k.
Command dig pc1.reseau1.lan
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57670
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
Why AUTHORITY: 0 and not AUTHORITY: 1 ???
De : "Greg Choules"
A : pub.dieme...@laposte.net,bind-users@lists.isc
)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Any idea what is causing the TLS error?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https
>
> Thank you for your reply.
>
>
> Please find attached the markdown file with all the commands and text
> from the terminal.
>
> In /etc/resolv.conf I had "127.0.0.53" so I disabled the DNSStubListener
> from systemd-resolved. I have netplan and networ
hel Diemer.
De : "Greg Choules"
A : pub.dieme...@laposte.net,bind-users@lists.isc.org
Envoyé: dimanche 14 Janvier 2024 23:28
Objet : Re: Question about authoritative server and AA Authoritative Answer
Hi Michel.
Please can you send the following information:
- name and IP address of the
are running the digs?
- the file "/etc/resolv.conf" on "pc1"
Please also re-send the digs with full output.
When you send information, please send it as text, not screenshots.
Thanks, Greg
On Sun, 14 Jan 2024 at 22:04, Michel Diemer via bind-users <
bind-users@lists.isc.
Ders bind users,
I have already asked a similar question which was more about DNS in general ,
this one is very specific about the AA bit.
Today's question is : « "dig pc1.reseau1.lan ns" show AUTHORITY: 1 and "dig
pc1.reseau1.lan" shows AUTHORITY: 0. Which setting or kn
Hello,
Bind version - 9.18.12
-->This is the command I used for generating dnssec-keygen keys -
root@dhcpt: /etc/bind# dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
Kexample.com.+013+43215.key
Kexample.com.+013+43215.private
root@dhcpt:/etc/bind# cat Kexample.com.+013+43215.priv
Hello,
I'm using ubuntu 22.04 server on which bind 9.18.8 service is running.
I'm trying to generate dnssec-key by using the command "dnssec-keygen
-a RSASHA512 -b 2048 -n zone example.com"
After doing this, it is generating both public key and private key.
When I gener
he primary server (192.0.2.1) specifies the following configuration:
key "secret-key.example.com" { ... };
zone "example.com" {
type primary;
file "/etc/bind/db.example.com";
notify yes;
allow-transfer { key "secret-key.exa
Hello there,
Due to an accident my local network is missing IPv4 DNS but has IPv6 DNS
so it has little impact on accessing the internet.
But I found that neither `dig `nor `nslookup` worked, and reported an error:
```
C:\Program Files\ISC BIND 9\bin\dig.exe: parse of C:\Program Files\ISC
den master) re-enable outgoing
XFR.
Regards
Klaus
Von: bind-users Im Auftrag von Nick Tait via
bind-users
Gesendet: Donnerstag, 28. Dezember 2023 04:01
An: bind-users@lists.isc.org
Betreff: Re: migration from auto-dnssec to dnssec-policy deletes keys
immediately
On 28 Dec 2023, at 1:05 PM, Ad
On Tue, Jan 2, 2024 at 4:38 AM Jakob Bohm via bind-users
wrote:
> Having the DoH server as a standalone process talking to DNS/TCP would
> be a solid implementation given the constant flow of changes made to
> HTTP(S) by the Big 5.
Perhaps, but for reference here is the relevan
, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
Hello,
Thank you very much, I was unaware of the HTTP/2 requirement and was
assuming it is a bug. Is there any reason for omitting the HTTP/1.1
upgrade part of the protocol?
On 2024/01/01 22:30, Ondřej Surý wrote:
Hi,
BIND 9 DoH implementation always uses HTTP/2, so you
can't talk
"/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O
// If your ISP provided one or more IP
Hello, I am running a named service on the OpenSuSE 15.4 platform.
# named -v
BIND 9.16.44 (Extended Support Version)
and I am getting an excessive number of binary tmp-xx files created
in the named chroot directory - /var/lib/named. (xx is just a bunch
of random characters
hm (ED25519) to what
was previously in effect (ECDSAP256SHA256), which is why Bind generated new
keys. If you want Bind to keep the old keys when transitioning to dnssec-policy
you should initially specify the same algorithm in your policy.
My understanding is that after you’ve transitioned to usi
o.6(+0x89044)[0x7f6d44aa8044]
/lib/x86_64-linux-gnu/libc.so.6(+0x10961c)[0x7f6d44b2861c]
```
Francisco--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies
packing or installation issue outside of BIND but
nevertheless it’s impacting DNS resolution in a negative way.
Anyway, the easy solution to get it working without creating DNSSEC exceptions
lists is:
update-crypto-policies --set LEGACY
… but I still think the right way would be getting people
hecked the new cache_dump.db, no
> `zone not loaded` anymore.
>
> For the original problem, because I modified serial of SOA and updated bind9
> to the latest version, it could not reproduce. Maybe it's also the similar
> issue, but in the older bind 9.11, no jnl file generated via nam
esn't show
it, but what you described sounds like BIND might be resigning the zone
file and writing the new signed zone over top of the original file? If
so, the solution is to use inline-signing:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-inline-signing
Note that there have
-banking.gslb.sabbnet.com): ignoring
nsec because name is past end of range
Ejaz
-Original Message-
From: MEjaz [mailto:me...@cyberia.net.sa]
Sent: Sunday, December 17, 2023 11:16 AM
To: 'Ondřej Surý'
Cc: 'bind-users@lists.isc.org'
Subject: RE: unable-resolve-bank=domain
My queries
, December 17, 2023 11:01 AM
To: MEjaz
Cc: bind-users@lists.isc.org
Subject: Re: unable-resolve-bank=domain
> On 17. 12. 2023, at 8:20, MEjaz via bind-users
> wrote:
>
> Any hint would be highly appreciated..
Paraphrasing: Logs or it didn’t happen…
Always start with logs. Th
023
;; MSG SIZE rcvd: 101
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bi
—
Cheers,
Wolfgang
__
Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559
On 15. Dec 2023, at 12:46, Wolfgang Riedel via bind-users
wrote:
Hello Petr,
The issue is not just BIND loc
Hi Folks,
I just wonder what's your take is on the current DNSSec mess with SHA1?
There are still a lot of top level domains being signed with SHA1 and look like
nobody really cares?
Current OS releases like RHEL9 and others simply removed SHA1 from the code so
if you're running BIND
and to answer my own question as I finally found the section in the manual
here:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#verification
On Wed, 13 Dec 2023, Brett Delmage via bind-users wrote:
Sorry, I pasted the wrong version (too many remote shells open today)
Should
r can reach the Internet it can recurse all on its own.
I hope that helps.
Greg
On Wed, 13 Dec 2023 at 16:29, Michel Diemer via bind-users <
bind-users@lists.isc.org> wrote:
>
>
> Dear Bind user,
>
> I am a teacher and trying to understand how dns works. I am spending h
Dear Bind user,
I am a teacher and trying to understand how dns works. I am spending hours
reading various sources without finding satisfying information. For teaching
purposes I have created a virtual machine with isc dhcp server and bind9 and
another virtual machine that uses
Sorry, I pasted the wrong version (too many remote shells open today)
Should be:
ii bind9 1:9.18.19-1~deb12u1 amd64Internet Domain Name Server
ii bind9-utils1:9.18.19-1~deb12u1 amd64Utilities for BIND 9
On Wed, 13 Dec 2023, Brett Delmage wrote:
I previously used
Thanks.
Brett
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
ue, 12 Dec 2023 at 17:42, Blason R wrote:
> Thanks folks
>
> I just disabled DNSSEC validation from bind config file (globally) and
> those domains started resolving fine.
>
>
> On Tue, Dec 12, 2023, 13:25 Greg Choules <
> gregchoules+bindus...@googlemail.com> wr
ith your
own problem.
Cheers, Greg
On Tue, 12 Dec 2023 at 00:48, Blason R wrote:
> Oh I forgot to tell you that. This is BIND RPZ and all the queries are
> recursive.
>
> Dig output just dies out and does not spit anything.
>
> And this specifically i noticed with .gov and .gov.i
On 12/11/23 18:47, Blason R wrote:
Oh I forgot to tell you that. This is BIND RPZ and all the queries are
recursive.
Okay, what RPZ configuration do you have? Is it messing with the
queries you're testing in any way?
What configuration do you have for RPZ related to DNSSEC?
Dig output
3 10:19 PM
To: Bhangui, Sandeep - BLS CTR
Cc: Nick Tait ; bind-users@lists.isc.org
Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov
CAUTION: This email originated from outside of BLS. DO NOT click (select) links
or open attachments unless you recognize the sender and know t
on the
dotgov.gov did not happen correctly.
Thanks
Sandeep
From: bind-users On Behalf Of Nick Tait via
bind-users
Sent: Wednesday, December 6, 2023 3:23 PM
To: bind-users@lists.isc.org
Subject: Re: dnssec-delegation seems to be broken from .gov to bls.gov
CAUTION: This email originated from outside
On 7/12/2023 9:05 am, Nick Tait via bind-users wrote:
I could be wrong, but based on the output above it looks like the
current TTL is 0, which means that doing this should provide immediate
relief.
Sorry it looks like the DNS server on the Wi-Fi network I'm connected to
has done something
On 7/12/2023 1:53 am, Bhangui, Sandeep - BLS CTR via bind-users wrote:
Hi
It seems the DNSSEC delegation is broken from “.gov” to bls.gov domain
and due to which the records for bls.gov are considered as bogus and
we are having issues at our site.
It looks like we were in the process
.
Please advise.
Thanks
Sandeep
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-use
u have a specific reason to use PKCS#11 I
would
suggest to simply avoid it until the dust settles.
Adding SoftHSM2 on top of BIND 9 doesn't really increase security as the user
under named
runs has to have access to the private key data anyway.
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My w
.
Gérard
Le 03/12/2023 à 18:40, Gérard Parat via bind-users a écrit :
Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of building libp11:
libengine-pkcs11-openssl:amd64 0.4.12-0.1
It works until
Please do not feel
obligated to reply outside your normal working hours.
On 3. 12. 2023, at 18:41, Gérard Parat via bind-users
wrote:
Hi,
I used this tutorial as reference to setup DNSSEC with SoftHSM2:
https://kb.isc.org/docs/bind-9-pkcs11
I installed the Debian package instead of build
1 - 100 of 1725 matches
Mail list logo
