The BIND9.9.0rc2.zip Windows installer allows for a "Tools Only" installation.
With this you can avoid having to enter the service account information that
will not be needed. However, the only tools you get are dig.exe, nslookup.exe,
and a couple of others.
It would be nice to also include dns
> I am trying to validate DNSSEC signature on ns record using dig.
> Domain nox.su is properly signed using DNSSEC.
> I am trying to validate it as dicribed here:
> http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/
> $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trus
>> named (BIND 9.7.4-P1)
>> err named[9964]: 05-Feb-2012 17:23:16.586 general: error: zone
>> 127.IN-ADDR.ARPA/IN/internal: zone serial (0) unchanged. zone may fail
>> to transfer to slaves.
> Ignore it. The message is suppressed in the next maintence release.
I see similar messages in 9.9.0rc
>> Feb 4 15:53:46 nsb0s named[9090]: zone jspain.us/IN (signed): zone serial
>> (2012013003) unchanged. zone may fail to transfer to slaves.
> I suspect that is is benign. Had you just thawed the server/zone?
After a review of the logs over the past several days, I see that this message
occurr
> I know this is a bind list, but does anyone know any public information about
> when/if Microsoft is going to release a SHA2 compatible DNS server so it can
> be used as a validating DNSSEC resolver without forwarders? Since the root
> trust anchor is published in SHA2, currently it can't be u
> dnssec-signzone: fatal: key myKSK.key not at origin
What are the contents of myKSK.key?
The format is "mydomain.com. IN DNSKEY ..." where mydomain.com is the domain
origin.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
___
Plea
William: In my tests of DNSSEC, I have used 'auto-dnsssec maintain;' rather
than explicitly signing the zone with dnssec-signzone. I believe I recall that
you are using bind 9.8, so this should work for you as well. Here's something
you can try:
In your bind configuration use the following zone
> Please comment on this state diagram:
> https://www.chaos1.de/svn-public/repos/network-tools/DNSsec/trunk/dnssec_key_states.pdf
For greater clarity, I suggest that for the state transitions (captions on the
arrows), you refer specifically to the four metadata timestamps that are
present in the
> It's because a few load balancer vendors don't read freely available
> specifications but instead appear to reverse engineer the protocol and get it
> wrong.
> BIND 9.7.0 fixed a long standing of accepting glue promoted to answer by
> parent nameservers. Once we did that there was no need to
>>> I recommend "activate" + "publish" at the same time.
>> I'd appreciate knowing your reasoning for preferring this
> You are going from unsigned to signed. There is no benefit in publishing,
> waiting then activating.
The IETF draft "DNSSEC Key Timing Considerations"
(http://tools.ietf.org/h
> As Tony Finch pointed out to me a few days ago, the Google public servers
> don't understand that fact about DS records, and don't know to ask for them
> in the parent. But here's something interesting - as of my testing just now,
> they *do* respond with DS records
This thread has been kind
> But another question remains, where's the DNSKEY record which's the missing
> link as of the current time.
> Querying --
> dig +dnssec -t DNSKEY yahoo.com @198.41.0.4
> Does not return anything.
I think that yahoo.com is probably not a DNSSEC-signed zone and so has no
DNSKEY records. Otherwise
> Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC
> capable domain; infact this server has issues -
> dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
> I'd be really happy if I could get some domains which are signed.
Try this one: dig @bind.odvr.dns-oarc.net. isc.org
>> Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec You should
>> get an AD flag returned and a variety of RRSIG records. Jeff.
> I hope I'm not missing any concepts here, but there should be a public key to
> verify the RRSIG, where's that? Shouldn't the server return additional DNSKE
>> Ok, thanks a lot. I thought it was a client process. Now I can query
>> for the DS, DNSKEY records from isc.org.
>> Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind
>> has such a caching program? Do we have a DNSSEC capable resolver in BIND?
> Bind *is* a caching program.
> We have a Authenticated Response in DNSSEC through trust chain.
> Now my question is why we itself need a NSEC when we get response from DNSSEC
> enabled server authentically.
> Means, if a Record exist in DNSSEC, then it replies the answer along with
> RRSIG of that RR.
> AND if domain doesn
The configuration below is for a bind 9.9.0rc3 server named nsb0s providing
inline signing service for a hidden master nsb0 and slaves nsb1 and nsb2. The
latter three are running bind10-devel-20120119. Nsb1 and nsb2 are also known as
ns1.jaspain.net and ns2.jaspain.net.
In an effort to test the
> I'm looking for advice on an issue. I have a publicly registered domain
> which we also use internally. I have bind configured as a caching DNS
> server. Bind is configured to use four other Windows DNS servers as
> forwarders for the domain. Bind should be using the root servers for
> an
> Ok. The retransfer code needs to look at the unsigned zone rather than the
> signed one which should fix the not found issue. The following should fix
> the issue. It compiles but otherwise has not been tested.
Thanks, I will try it and get back to you with the result.
> As to soa refresh
Mark: Your patch version 3 is included below to confirm that this is the
correct one. Initially the patch didn't work properly due to a missing line
break before "@@ -5993,6 +5994,12 @@". I fixed that and ran the bind9.9.0rc3
installation again. A manual inspection of server.c afterwards indicat
> With the properly patched bind 9.9.0rc3 running, 'rndc retransfer
> jaspain.biz' generated no output, presumably indicating success.
> The log showed some related error messages, however...
> Seems like it is confusing the serial numbers of the signed and unsigned
> zones.
I installed the bi
I reviewed RFC 6303, which recommends configuring a number of zones using an
empty zone file as follows:
@ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
@ 10800 IN NS @
In bind 9.9.0 this results in errors for each zone referring to the empty zone
file as follows:
Feb 29 19:24:30 ns0s
>> Changing the second line ('@ 10800 IN NS @') to '@ 10800 IN NS localhost.'
>> eliminates the errors.
> The built in empty zone processing is aware of the special case of NS records
> without address records. The generic zone processing rules treat this as a
> error condition.
Just for clari
>> Just for clarification, do I understand correctly that if none of the
>> empty zones described in RFC 6303 are set up explicitly in the bind
>> 9.9.0 configuration file, then bind 9.9.0 will process them as such
>> anyway using built-in generic zone processing rules?
> Yes. To expand a bit
> In my named.conf I have set up empty zones for the whole of 240/4. I view RFC
> 6303 as the minimum necessary for a hygienic name server, but there are a
> number of other permanent bogon address ranges which it makes sense to stub
> out locally.
Would you please elaborate on how you are mana
>> If the root hints are updated on ftp://rs.internic.net/domain/, would
>> it require a new build of bind to incorporate them, or is bind able to
>> update its built-in root hints by some other means?
> No, it requires a rebuild after changing lib/dns/rootns.c. But using a mildly
> out-of-date
>> No, it requires a rebuild after changing lib/dns/rootns.c. But using a
>> mildly out-of-date hints file is usually harmless - it is only a *hint*.
> Right. One of the first things BIND does after starting up is query one of
> the root servers to get the current set of root servers.
Thanks. T
> Didn't the answer to the NS query include the addresses in the Additional
> Section? It does when I perform the query manually. It gets cut off with
> the default packet size, but if EDNS0 is used it will include them all.
The addresses are included in the additional section. Missed that ear
> We thought of two other differences between this zone and the others:
> 1. this zone has NS records with servers that are in the zone itself, and 2.
> our global "also-notify" option contain IP addresses that resolve to host
> names in this zone.
I don't have a handle on the underlying proble
> Can anyone help me with its experience on reverse dns for IPV6?
> Presently, when we reverse an IPV4 subnet for clients, we configure all the
> reverse for the whole subnet.
> It is a lot of PTR's but perfectly manageable.
> With IPV6, the number of IP's that we will receive is amazing
> S
root@ns0s:~ # named-checkzone
usage: named-checkzone [-djqvD] [-c class] [-f inputformat] [-F outputformat]
[-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)]
[-m (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i
(full|full-sibling|local|local-sibling|none)] [-M (ignore|
I tested this by capturing network traffic on a bind 9.9.0 recursive resolver.
The commands 'rndc flush' followed by 'dig @localhost funnygamesite.com'
resulted in the following:
1. A query to m.gtld-servers.net.
2. The same referral response that you got below.
3. A follow-up query 500 microseco
> But if only some IP have e reverse..what about the other server who have
> received an IP in the range? Ip that can be changed every x hours.
> IF no reverse, it can be blacklisted for some reasons or having some problems
> with services asking a reverse dns resolution.
In my ip6.arpa zone, al
> What is the proper format to write a DKIM TXT?
There seems to be quite a bit of information about this available via Google
search. Here's one reference I found that gives some step-by-step instructions:
Creating DKIM TXT Records in Linux/UNIX Bind
http://forum.unifiedemail.net/default.aspx?g=p
> I would recommend that dnssec-keygen starts ignoring the "-e" parameter that
> everyone has put in their scripts to prevent exponent 3 keys, who are not
> getting keys with exponent 4294967296 + 1 (F5)
> Alternatively, if this is done on purpose, I guess we should all migrate the
> 64 bit mac
> Its not about integer overflow, it's about the fact that F5 does not add to
> the security, but does use up a lot of CPU cycles.
I'd like to study this issue more. Would you please provide a reference that
discusses your assertion that using an F5 public exponent does not add to the
security
> Well, go argue with Adam Langly in the bug report I submitted (and Paul
> quoted in this thread).
You're making an argumentum ad verecundiam, which I can't reasonably pursue. In
the bug report
(http://code.google.com/p/go/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Status%20Stars%20Pr
> There's quite a bit about choosing e in this presentation:
> http://www.esiea-recherche.eu/Slides09/slides_iAWACS09_Erra-Grenier_How-to-compute-RSA-keys.pdf
> However, I don't understand the math, so I can't say whether any of the
> advice is reasonable :(
Interesting document, although I'm no
> I'm testing out dnssec with bind 9.9.0's auto signing and a test domain; this
> appears to be working (see below, RRSIG records returned from the actual
> nameserver), however and attempt to validate fails with:
> # dig +dnssec +sigchase soa raindrop.us
> When I simply try to validate the root:
Alan: Comments on your configuration file:
I believe that managed-keys... and zone "." { type hint... are built into bind
9.9.0 recursive resolvers and therefore not needed. You can enable the built in
root trust anchor by changing dnssec-validation from yes to auto.
I think that listen-on { 12
> Isn't the "DS for the zone: ." what the "managed-keys" clause provides?
> Though putting it back in didn't make the warning go away, so I must be
> missing something else here...
Any difference with dnssec-validation auto and removing the managed-keys and
root hint zone? Jeff.
> Why would 149.20.64.20 return ad then? It's not authoritative either...
As I understand it, you need a dnssec-enabled recursive resolver to get an AD
flag returned. An authoritative-only server will never return an AD flag. Jeff.
___
Please visit htt
> Though I am still curious about this from the end of sigchase output:
> Launch a query to find a RRset of type DS for zone: .
> ;; NO ANSWERS: no more
> ;; WARNING There is no DS for the zone: .
> Isn't the "DS for the zone: ." what the "managed-keys" clause provides?
Now I think I see what you
> I was setting up BIND DNSSEC and when I issue the following command the
> process never finishes.
> dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
Take a look at the Entropy Key (http://www.entropykey.co.uk/). See also a
discussion (http://jpmens.net/2012/01/24/entropy-random-data-for-dn
> We are authoritative for a few dozen small zones. Is it possible to use the
> same KSK for all of them? I can see where if it gets compromised we would
> need to resign all zones using the KSK at once. How much effort would I be
> saving sharing the KSK?
My sense is that you would be creat
> When I update the SOA record of the master zone file, if I reload the zone
> with "rndc reload", the SOA record is updated. If I perform a stop/start of
> the named executable, the SOA change is not updated.
Ralph: There was a lot of discussion about this issue on the bind forum around
the fi
> 1. In down level Windows, everything is OK.
> 2. In upper level dns(bind), ns record, and A record of nameserver is fine.
> 3. But A record in WIndows Server can not resolved by upper level BIND.
> I think maybe I have to do something in my windows server to "connect"
> windows with linux bind?
> Reading the section on delegation in the O'Reilly book, I'm confused about
> something: The parent is configured to delegate the subdomain to the child
> with glue records, etc. But how does the child know who to ask if a host in
> the
> subdomain requests a record in the parent zone? They don't
> Multiple zones with a single key - is possible with BIND ?
There was a recent discussion on this topic. See thread beginning at
https://lists.isc.org/pipermail/bind-users/2012-April/087481.html. Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
> (I hope that it's fine to ask about issues connected with the previous
> version of bind.)
Bind9 has its own listserv at bind-users@lists.isc.org. There are many DNS
experts available there.
> Could you confirm that my settings are correct?
> I'm using this guide (my configuration scenario is
> How can I find out which Unix files/libraries bind requires before I do the
> compile?
I have successfully built Bind 9.9.1 on Ubuntu 12.04 LTS (Precise Pangolin).
Since Ubuntu comes with a previous version of the Bind 9 utilities installed, I
uninstall the following packages:
apt-get purge b
>> I need to understand the difference between configuring bind views and
>> having multiple instances of bind. I have 5 network interfaces on my
>> server and I want to have 2 instances of DNS server (just for testing)
>> and I don't know which one to do ?
> BIND views are powerful, but config
> With "auto-dnssec maintain", I expect the Zone Signing Keys and the
> individual RRSIGs to be completely managed and rotated as needed by bind, per
> https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
and the Admin Reference, however, at the end of 4.9.7, it sa
> I didn't like the fact that the unsigned serial (which I manage) was lower
> than that of the signed zone. Making it bigger than the signed zones version
> appears to have gotten the zones back in sync - however the slave is still
> not getting any Notifies (and has not yet caught up).
With "
> What tools/commands I can run to get plain ascii/text data out of modern
> raw/binary on BIND 9.9.x slaves?
> I just want to verify that changes are correct down to the slaves. So - I can
> check-in these changes into svn etc.
See the ARM under named-checkzone.
http://ftp.isc.org/isc/bind9/cu
> Would an option be to do a dig axfr on the zone?
That works if "allow-transfer" is set appropriately. It gives you the zone data
in canonical rather than relative format. Jeff.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsu
> However - I guess its a little less efficient than the new default 'raw'
> mode, especially for large zones. Consider a change of approach and if its
> just an automated check - try 'dig'? I'm finding with in-line signing that
> zones are often spread about in journal files - which makes optio
> I'm a BIND novice and I'm trying to understand what causes my BIND9 resolver
> (bind97-9.7.0-10.P2) to return an error when queried for the A record of
> vlasext.partners.extranet.microsoft.com:
FWIW I'm not able to reproduce this using a BIND 9.9.1-P1 recursive resolver.
On this system "dig
I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The
Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but
section 4.9 presents some clues. I'd like to ask the experts on this list if
the following procedure might accomplish an algorithm rollover cleanly
> I don't think that bind trying to sign with non-existent key will do any harm
> - probably just warning.
> But it's simpler - change metadata of the key - set deletion time to the time
> you want the key to be deleted (like DS deletion time+TTL).
> Bind with auto-dnnsec allow re-reads the metad
> I discovered that if there was not at least one KSK and ZSK of the same
> algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life of
> one year and ZSK of one month, effectively to roll a key algorithm and
> without forcing the roll-over by removing all the old key/algorithm
>> I discovered that if there was not at least one KSK and ZSK of the same
>> algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life
>> of one year and ZSK of one month, effectively to roll a key algorithm and
>> without forcing the roll-over by removing all the old key/algor
I propose the following addition to the Bv9ARM, and request review and comment
by the experts on this list.
--
4.9.14 DNSKEY Algorithm Rollover
>From time to time new digital signature algorithms with improved security are
>introduced, and it may be desirable for administrators to roll
>> My experience with changing the timing metadata or removing the key
>> files is that named issues a warning like the following: zone /IN:
>> Key // missing or inactive and has no
>> replacement: retaining signatures. In this circumstance none of the
>> RRSIGs or NSECs are removed. They sit the
> If no listen-on statement is included, will requests be processed and
> logged?
>From Bv9ARM, p. 68: "If no listen-on is specified, the server will listen on
>port 53 on all IPv4 interfaces." A client could query a quad-A or any other
>record using IPv4 network transport, and that would
> 1. Generated KSK and ZSK
> 2.Add both of keys at the end of my zone file
> 3.signing my zone with dnssec-signzone command
> 4.enable dnssec in named options
> 5.change the name of my zone in the named by namezone.signed
> 6.I got the root DNSKEY RR set before with dig comm
> all this step has been well done, but the last step:
> Generate DS records and provide them to your registrar.
> has not been fluent for me. I found how can i provide key to the registrar i
> used this command:
> dnssec-dsfromkey -2 Kwillzik.co.uk KSK.key "is it the good way to do?"
That comma
> Please tell me how to download and install Nsupdate from BIND 9 to run on an
> Windows XP client?
1. Download http://ftp.isc.org/isc/bind9/9.9.1-P3/BIND9.9.1-P3.zip.
2. Expand the archive and run BINDInstall.exe.
3. Verify and change the target directory according to your preference.
4. Check
> What are other people using to automate key rollovers with 9.9?
Michael: I automated mine by generating a set of 9 ZSKs and 2 KSKs for each
zone in advance, setting the timing metadata to achieve a 90-day prepublication
rollover cycle for the ZSKs and a 720-day rollover cycle for the KSKs. Onc
> Are there relatively recent instructions on how to build BIND from source and
> run it in a chroot environment? It sounds obvious but everything I've come
> across assumes BIND is provided by some package manager or included with the
> operating system. I'd like to build the latest version of
For bind 9.9.3 build on Ubuntu 12.04LTS x64, I see log messages, for example,
"/etc/bind/named.conf.local:4: zone 'jaspain.biz': missing 'file' entry" for
each slave zone configured for inline signing. The file clause is, in fact,
present in the configuration file, for example:
zone "jaspain.biz
> Have you looked carefuly enough, and to the correct file if there is no
> missed character that makes the configuration invalid?
> Have you run named-checkconf with and without the given file as parameter?
The log message is new since bind-9.9.2-P2 with no changes to the configuration
files. T
> The brackets were wrong and we should have checked that obj was true.
The patch you provided makes the log message go away. The bind9 service appears
to be working normally, and named-checkconf produces no output. Thanks. Jeff.
___
Please visit https
>> The brackets were wrong and we should have checked that obj was true.
> The patch you provided makes the log message go away. The bind9 service
> appears to be working normally, and named-checkconf produces no output.
> Thanks. Jeff.
FYI. The patch for /lib/bind9/check.c provided earlier in
> Looking at this further, it appears when EDNS is turned on in the Windows
> 2008 R2 DNS server (default, accepting DNSSEC responses), resolution fails
> occasionally with a SERVFAIL when NODATA is returned to BIND (i.e. 0 answers
> with a status code of NOERROR.)
I'm using Windows Server 2012
> Perhaps someone who has a Windows 2008 R2 domain can go ahead and confirm
> this, but so far the only way I can see to mitigate this issue is either:
> 1. Disable EDNS on Windows 2008 R2 (which essentially disables the ability to
> accept DNSSEC based responses) or 2. Disable DNSSEC support in
>> Based on a Microsoft tech support case that I opened, the only way to fix
>> this was to turn off EDNS ("dnscmd /config /EnableEDnsProbes 0").
>> This also seems to have been fixed in Windows Server 2012.
> What a bummer, this essentially stops anyone from using DNSSEC validation
> correctly
Assuming a Linux BIND host, in /etc/network/interfaces something like the
following might work for your IPv6 configuration:
iface eth0 inet6 static
address 2001:1930:e03::e
netmask 64
gateway 2001:1930:e03::
where you would substitute for the interface identifier
In the Windows DNS Manager, open the Properties page of the applicable DNS
server. On the Forwarders tab, click Edit and enter the IP address(es) of the
BIND server(s) to which you want the Windows DNS server to forward queries.
Click OK, and now back on the Forwarders tab, uncheck "Use root hin
For our zone countryday.net, which is configured with "auto-dnssec maintain"
and is running on bind 9.8.0, a ZSK rollover is in progress but seems to be
failing.
The metadata for the original key is:
; This is a zone-signing key, keyid 2750, for countryday.net.
; Created: 20110402153620 (Sat Ap
Thanks, Phil.
> How big is the zone, and how did you sign it originally? If you used "rndc
> sign", then there will be little jitter in the RRSIG so they'll all tend to
> roll over together.
>For most of our zones, I signed them manually using dnssec-signzone and tuning
>the jitter for a consta
> What does `rndc sign ` do?
Thanks, Tony. I have never run rndc sign, as the zone is configured with
auto-dnssec maintain. Before intervening in this manner, I would like to gain a
greater understanding of what is going on. Thanks. Jeff.
___
Please vi
Thanks, Phil. The document I used to set up the rotation schedules is "Good
Practices Guide for Deploying DNSSEC" at
http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec. It recommends a
two-week interval between ZSK inactivation and deletion. I will carefully study
the IETF draft bel
Assume that bind 9.8.0 is in operation. A zone is configured with auto-dnssec
maintain, and the zone signing keys K and its successor K' are published.
Further assume that the activation time for K has passed and the zone is
properly signed with K. Now suppose that the activation time for K' arr
> And now, as July 1 has passed and July 9 approaches, can you share a
> summary of what you found? Thanks.
> --
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header
On June 10, our zone countryday.net running on a bind 9.8.0 server began a
Lyle: If I understand your issue correctly, it is one that I also experienced
when using a Windows 2008 R2 DNS server to forward to a BIND 9.8.0 recursive
resolver configured to perform DNSSEC validation. By default Windows 2008 R2
DNS forwards queries with the CD flag set in the query, and it i
Walter: I have compiled bind 9.8.0 on Ubuntu Natty on a number of VMs on ESXi
4.1 and 5.0. There have been no problems with either authoritative or recursive
name services. The potential issues with NTP on virtual machines are, I think,
not related. They have to do with the fact that the VM does
Hi, Michelle. Best practice is to choose your 64-bit interface identifiers
randomly, for example 7492:4f89:d821:cf19. Your complete IPv6 address would
then be 2a01:4f8:d12:1300:7492:4f89:d821:cf19. When you generate your own
random IIDs, mask them with FCFF::: to clear the universal
I am testing bind 9.9.0b1 compiled on Ubuntu Oneiric x64 (nstest.jaspain.net).
I configured a zone as follows:
zone "jaspain.net" {
type master;
file "/var/lib/bind/jaspain.net/jaspain.net.db";
key-directory "/var/lib/bind/jaspain.net";
update-policy local;
Thanks, Evan. Can you also comment about the meaning of "BITWS=201502" at
the beginning of the output of named-journalprint? Jeff.
-Original Message-
From: Evan Hunt [mailto:e...@isc.org]
Sent: Friday, November 18, 2011 1:59 PM
To: Spain, Dr. Jeffry A.
Cc: bind-users@lis
I'd like to ask for clarification on the operational issue stated below.
Suppose there are no current changes to an inline-signed master zone, i.e.
myzone.db.signed timestamp is later than myzone.db timestamp. In this
circumstance, is it safe to stop and restart the bind service or reboot the
s
> 1. Do you have basic example/steps to configure RPZ in Bind? ( I need couple
> of examples like /etc/named.conf file and zone files for rpz
> 2. If I use RPZ, recursive DNS will contact remote RBL database for every DNS
> query?
> 3. Is it possible to download DNS RBLs locally on the DNS serve
If you are concerned about a repeat of the IPv4 address exhaustion problem,
this is a different issue. The 64-bit IPv6 interface identifier has to be
unique for each device on an IPv6 subnet. Even if you choose the IIDs randomly
for, say, 1000 devices, the probability of a duplicate is very low.
When bind 9.9.0b2 starts up, the syslog shows the following messages:
Nov 22 10:18:19 nstest2 named[17190]: using default UDP/IPv6 port range: [1024,
65535]
Nov 22 10:18:19 nstest2 named[17190]: listening on IPv6 interfaces, port 53
Nov 22 10:18:19 nstest2 named[17190]: socket.c:5728: unexpected
Kevin: I did something similar, using nsupdate to modify the unsigned zone
instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and
myzone.db.signed.jnl files all get updated appropriately. "rndc reload" is not
necessary. It is interesting to note that the serial number in t
Evan: I'd like to ask for clarification. My understanding is that
"inline-signing yes:" is necessary to cause bind to keep separate signed and
unsigned zone files, and that the source of the unsigned zone file can be a
disk file in the case of a master, or a zone transfer in the case of a slave.
> Now, you can *also* turn on DDNS and use nsupdate on an inline-signing
> zone... but, if you're going to be using DDNS anyway, then I'm unclear what
> operational need is being served by separating the data. With or without
> inline-singing, your master file will be overwritten, and you'll h
> dig axfr dotat.at | grep -v RRSIG. Tony.
> dig axfr dotat.at | grep -v RRSIG | grep -v TYPE65534 | grep -v DNSKEY | grep
> -v NSEC3PARAM. JP.
> dig axfr zone | awk '$4 !~ "^NSEC$|^NSEC3$|^RRSIG$" {print}'. Shumon.
Thank you, gentlemen. These are very helpful. As we are primarily Windows
users,
> I don't understand why Windows doesn't include dig by default, even now.
> Free software hate?
I wonder if it some kind of intellectual property issue. Microsoft has to be
able to sell Windows and therefore must consider any added costs related to
including a component that they do not own a
> Does anyone provide a zone with a trust anchor that is frequently rolled
over in that way, just so that one can see whether it really works? Then
one's feelings might be warmer and less fuzzy...
I looked at the DNSSEC section of the bind test suite
(bind-9.9.0b2/bin/tests/system/dnssec) to see
1 - 100 of 123 matches
Mail list logo