After the fantastic ISC DNSSEC webinar series last month, I began using KASP
for my DNSSEC signed zones. I have noticed an odd behavior with regards to the
files BIND keeps in keys/ (K*.key, K*.private, and K*.state). For
inactive/retired keys, every BIND restart updates the dates in those
sendmail's implementation of DANE determines whether DNSSEC validation was
successful based on the presence of the AD bit in the response to the DANE
record lookup.
An equivalent dig lookup would be:
% dig TLSA _25._tcp.smtp.gshapiro.net.
...
;; Got answer:
;; ->>HEADER<<-
I've created a catalog zone, have it successfully secondarying on the secondary
server but using it as a catalog zone fails with:
Apr 30 05:33:48 keef named[7473]: catz: zone 'gshapiro.net' uses an invalid
primary (no IP address assigned)
Apr 30 05:33:48 keef named[7473]: catz: error "failure"
>It looks like you are using a default labeled primary server without an
>IP address, i.e. the TSIG key name is there for "tsig.primaries.ext",
>but the A/ record for that name is missing:
Interesting. I ended up just removing the TXT record but it is unclear
why the zone entries
4 matches
Mail list logo
