On Fri, 4 Dec 2009, Chris Thompson wrote:
[It's never been entirely clear to me why these functions have to be
combined, especially given that server [ipaddr/len] {bogus yes;};
can be used to block outgoing queries.]
The CIDR syntax for server clauses is relatively new. Before it was added
On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote:
On Tue, Feb 23, 2010 at 09:56:55PM -0500,
Diosney Sarmiento Herrera diosne...@gmail.com wrote:
Have any sense to blacklist the private address ranges on a server
that is facing Internet?
I am not sure I parse your sentence correctly but may
On Tue, 23 Feb 2010, Joe Baptista wrote:
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed.
It looks pretty lively to me. DNSSEC has multiple interoperable
implementations, and it will be deployed in the most important zones this
On Sat, 20 Mar 2010, Glenn English wrote:
Just why qmail reports a T_ANY failure as a CNAME failure, I also don't
know.
This is a bug in qmail. It tries to canonicalize domains in the SMTP
envelope of outgoing messages. It originally did this by performing CNAME
queries on each domain, but
On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote:
We are facing query drops by using dnsperf tool from ISC testing the DNS
service via load balancer. Multiple queries from the same source port are
being dropped partially by the load balancer and as per the load balancer
vendor feed back, this is
On 19 Apr 2010, at 20:40, Chris Thompson c...@cam.ac.uk wrote:
On Apr 19 2010, I wrote:
[...]
Of course, it could also prove there is no DS record for
private.cam.ac.uk, but the absence of NS records as well
apparently makes it think that private.cam.ac.uk is bogus.
More experiments
On Wed, 14 Jul 2010, Chris Thompson wrote:
With 9.7.1-P1 (and a trust anchor for dlv.isc.org) on a local workstation
dig +dnssec -t RRSIG www.forfunsec.org @127.0.0.1
initially times out. But after doing
dig +dnssec -t ANY www.forfunsec.org @127.0.0.1
the same command reports the three
On Sat, 17 Jul 2010, Stephane Bortzmeyer wrote:
OK, let's rephrase it: as far as I know, the root managers did not
announce that they will follow RFC 5011. But may be they did and I
just missed the announcement or may be they will do it in the
future. But check yourself before using
On Tue, 20 Jul 2010, Chris Thompson wrote:
However, I haven't yet been able to work out exactly *what* is wrong
with the response, as demonstrated by dig (say). Any ideas?
Could it be complaining about the lack of compression?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
NORTH
On Tue, 20 Jul 2010, Chris Thompson wrote:
However, I haven't yet been able to work out exactly *what* is wrong
with the response, as demonstrated by dig (say). Any ideas?
Got it. The nameservers for ucas.com give a referral for odbc.ucas.com.
That means the zone for odbc.ucas.com is
On Tue, 20 Jul 2010, Kevin Darcy wrote:
It seems that UCAS is just proxying non-A queries from its load-balancers back
to its regular nameservers.
No, the load balancers are simply braindamaged. Try SOA or NS or TXT
queries and you get a timeout.
Tony.
--
f.anthony.n.finch d...@dotat.at
On Thu, 22 Jul 2010, Atkins, Brian (GD/VA-NSOC) wrote:
Does anyone know of an existing script or program that can parse a zone
file and verify records against an active server?
Have you looked at named-checkzone?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
FORTIES: NORTH 5 OR
On Sat, 24 Jul 2010, Warren Kumari wrote:
On Jul 23, 2010, at 2:37 PM, Danny Mayer wrote:
Why would any inspection policy not allow fragmented UDP packets?
There's nothing wrong with that.
Because it's hard The issue is that then you need to buffer
fragments until you get a full
On Thu, 5 Aug 2010, Lyle Giese wrote:
zone mydomain.com{
type forward;
forward only;
forwarders { ip address of priv server;}; };
The priv server needs to be authorative(and probably master) for
mydomain.com.
As I understand it, BIND makes recursive queries to forwarding servers. If
the
On Fri, 6 Aug 2010, Martin McCormick wrote:
I have started looking at various ways for our
organization to begin using dns-sec as this appears to be a high
management priority and it will eventually become necessary to
operate. We have a fairly simple structure with a official master
On Mon, 9 Aug 2010, Shiva Raman wrote:
I tried implementing dnssec using the following document
http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/
That is rather out of date: it does not cover some important BIND-9.7
DNSSEC validation features, specifically RFC 5011
On Mon, 9 Aug 2010, CLOSE Dave (DAE) wrote:
Based on suggestions here, I now have a named.conf file like this:
options { ... };
logging { ... };
zone . IN { type forward; forwarders { PUB; }; forward only; };
zone HOST1 { type forward; forwarders { PRIV; }; };
zone HOST2 {
On Tue, 10 Aug 2010, Joseph S D Yao wrote:
On Fri, Aug 06, 2010 at 10:43:01PM +0100, Tony Finch wrote:
...
As I understand it, BIND makes recursive queries to forwarding servers. If
the target is authoritative, you configure the zone as a stub. This is not
documented.
I believe
On 30 Aug 2010, at 00:02, clem...@dwf.com wrote:
Can you either point me at the documentation I need to read, or
explain how to
'Add one for the root zone'
Have a look at:
http://fanf.livejournal.com/107310.html
Note that since you are using bind-9.6 you have to use a trusted-keys
I could not get private stub nor forward zones to work if their public parent
is signed and does not have a delegation to the private zone.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
On 12 Sep 2010, at 03:41, Chris Buxton chris.p.bux...@gmail.com wrote:
On Sep 11, 2010, at
On Wed, 15 Sep 2010, sami's strat wrote:
a.us is (dnssec) signed and the parent domain has a copy of the DS keys.
Is there a way to have host.b.com run dnssec aware queries against a.us?
You don't need or want the ISC DLV trust anchor for that, since there is a
chain of trust to the root and
On 17 Sep 2010, at 14:10, Niobos nio...@dest-unreach.be wrote:
Is the current version of the ARM available online somewhere?
http://dotat.at/tmp/arm97/
IIRC the specific version that comes from is 9.7.1p2.
Tony.
--
f.anthony.n.finch d...@dotat.at
On Mon, 20 Sep 2010, Alan Clegg wrote:
All signature expire times are in MMDDHHMMSS format in the zone data
and are handled correctly as far as BIND deals with it.
If your OS deals with the 2038 issue correctly, then BIND will as well.
RFC 4034 says that the signature validity times are
On Fri, 24 Sep 2010, Stewart Dean wrote:
1) I assume the canonical location of named.conf is always in /etc?
A default build of bind expects to find it in /etc/named.conf
If you are running chrooted it needs to be copied into the chroot.
2) My home-built binary is nearly 7MB, while the CentOS
On Thu, 30 Sep 2010, Taylor, Gord wrote:
The business partner has already fixed their firewall
(allow_dnssec_bit=1 on CheckPoint)
Just in case anyone else is worried about interop problems, I note that
allow_dnssec_bit=1 is the default setting. A CheckPoint firewall
administrator has to
On Thu, 30 Sep 2010, Nicholas F Miller wrote:
Does anyone actually have GSS-TSIG working with an Active Directory?
There are some GSS-TSIG interop fixes in 9.7.2.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5
I haven't seen any answers to Timothe's questions below, though I have been
keeping an eye out for them. The documentation in this area is a bit thin...
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
On 20 Sep 2010, at 20:28, Timothe Litt l...@acm.org wrote:
I'm trying to get
On Sun, 3 Oct 2010, Chris Thompson wrote:
Oct 3 16:53:10 dnssec: warning: validating @14c9cd70:
98.206.101.95.IN-ADDR.ARPA PTR:
can't validate existing negative responses (not a zone cut)
What do they mean, exactly? And should I be worrying about them?
They all seem to refer to PTR
On Thu, 28 Oct 2010, fddi wrote:
I am going to start in production environment a bunch of 3 mail servers for my
domain, let'say mydomain.com
I need to install a X509 certificate on each server in a way that upon
x509 authentication thunderbird or whatever MUA won't complain about
hostname
On Fri, 29 Oct 2010, Mark Andrews wrote:
It would be nice if we could standardise a MX target of . as saying
that this domain doesn't accept email e.g. MX 0 . the same way as SRV
0 0 0 . means that there is no service for the named protocol. That
way the sending MTA or the MSA can reject the
On Wed, 3 Nov 2010, Stephane Bortzmeyer wrote:
On Wed, Nov 03, 2010 at 11:24:03AM -0200,
alexan...@nautae.eti.br alexan...@nautae.eti.br wrote
a message of 31 lines which said:
So, is that possible in any way to use DNSSEC with Bind 9.3.6?
Yes. DNSSEC appeared in BIND 9.0.
DNSSEC has
On Tue, 25 Jan 2011, M. Meadows wrote:
Any thoughts on why this might happen?
Invalid CNAME at zone apex.
; DiG 9.6.2-P2 any getaroomgetadeal.com @ns1.slicehost.com.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 15830
;; flags: qr aa rd; QUERY: 1,
On Mon, 14 Mar 2011, Jan-Piet Mens wrote:
A stub zone tells BIND to load SOA and NS records from its masters {}.
(forwarders {} is, I belive, both useless and incorrect here.) From that
point onwards, your BIND will use the data in the stub to recursively
find answers to queries for that
Kay ch...@daumcorp.com wrote:
some domain has 12 IPs but traffic of the server is not equal.
The traffic of 11 IPs is same and just 1 IP is higher than others.
If you use round-robin DNS you are relying on the clients not to muck
around with the responses they get from your DNS server. If they
Patrick Rynhart p.rynh...@massey.ac.nz wrote:
I am new to using BIND and thought that I would start by setting up a
caching-only name server on a VM running CentOS 5.5. While in this
mode, my understanding is that named should be passively listening for
any DNS requests that are resolved and
Justin Krejci jkre...@usinternet.com wrote:
So I am wondering if this is normal/expected behavior for BIND and if so
should debug logging or named-checkzone with debugging be able to
identify this as the problem. Or am I missing something else altogether?
With bind-9.7.3, I get the following
hostmas...@g-net.be hostmas...@g-net.be wrote:
The reason I ask is because I'm setting up a DNS sec server and for easy
key rollover and manageability I have created several new directories on
a usb stick for example. Key files and zone files now all have 774
permissions , owned by bind:bind
hostmas...@g-net.be hostmas...@g-net.be wrote:
4 dr--r--r-- 2 bind bind 4096 2011-04-18 14:50 .
You should set execute permission on the directory so that bind can
traverse it.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally
On 20 Apr 2011, at 01:11, Mark Andrews ma...@isc.org wrote:
In message 4dadfb29.6080...@dougbarton.us, Doug Barton writes:
I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled
against openssl 1.0.0d not being able to chroot unless they copy
$PREFIX/lib/engines/libgost.so
Adam Goodall adam.good...@gmail.com wrote:
This certainly seems to have solved the problem. I'm not convinced i
understand why it didn't work they way i was trying but this is a perfectly
acceptable alternative - thanks for your help!
A server that you forward queries to is expected to be a
rams brames...@gmail.com wrote:
How to declare multiple signed key paths in key-directory. When i declare as
follows, named not starting.
key-directory {/var/named/zones;/root/ramesh/Largezone;}
You can specify a key-directory inside a zone statement if you want the
keys for that zone to be
Karl Auer ka...@biplane.com.au wrote:
Using our local caching, recursive BIND9 nameservers, we get SERVFAIL on
a particular domain, namely mailergoat.rsi.co.jp. But from other
places, we get NOERROR (which is the correct answer, because there is a
A record with that name). However, from some
A couple of problems:
Firstly, if you are running chrooted and have a recent version of OpenSSL
installed, you must either copy the OpenSSL gost cipher engine loadable module
into your chroot, or hack the build scripts to disable gost support. The
easiest way to do this is to make the obvious
A couple of problems:
Firstly, if you are running chrooted and have a recent version of
OpenSSL installed, you must either copy the OpenSSL gost cipher engine
loadable module into your chroot, or hack the build scripts to disable
gost support. The easiest way to do this is to make the
Marc Lampo marc.la...@eurid.eu wrote:
Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ...
4 DS's in total,
for each KSK 1 DS with SHA-1, one with SHA-2
for one KSK, the algorithm used was changed from 5 to 8.
As I understand it the problem that Stephane reported
Juergen Dietl isclist...@googlemail.com wrote:
I run bind 9.8 with GSS-TSIG in serveral domains with update-policy list
for secure updatesand all is working fine. Before my bind was in a
CHROOT enviroment. But with using GSS-TSIG it seems to need a lot more
libraries.
Did it stop working
Carl Byington c...@byington.org wrote:
ns.il. 86400 IN CNAME relay.huji.ac.il.
il. 86400 IN NS nse.ns.il.
With that cname, how are NS records like nse.ns.il supposed to work?
The presence of a CNAME at a name has no effect on
Barry Finkel bsfin...@anl.gov wrote:
I am not sure how to decode the .jnl file; I have not looked at the code
in detail.
Try the named-journalprint program. You can also try named-compilezone -j
which applies the journal to the master file.
Tony.
--
f.anthony.n.finch d...@dotat.at
Phil Mayers p.may...@imperial.ac.uk wrote:
This might be the problem resolving CNAMEs that was discussed on the list
recently:
https://lists.isc.org/pipermail/bind-users/2011-May/thread.html#83714
Bind 9.8.0 intermittent problem with non-recursive responses
It was fixed in 9.8.1
But note
Niobos nio...@dest-unreach.be wrote:
However, I don't see any security-benefits in this scenario: If the attacker
gets hold of the credentials to update the zone dynamically, he can do so in
both cases (KSK online or offline). If your server is compromised, he can
add/remove records in both
Spain, Dr. Jeffry A. spa...@countryday.net wrote:
I'm sure I could solve this by removing all of the DNSSEC data and
resigning the zone, but would prefer not to do this except as a last
resort. If anyone has troubleshooting suggestions or other insights, I
would be grateful for those. Thanks.
Daniel McDonald dan.mcdon...@austinenergy.com wrote:
I set up a zone with dnssec, and wanted to verify that it was working
properly. But I appear to have trouble with the root KSK.
$ dig +dnssec danmcdonald.us +topdown
;; No trusted key, +sigchase option is disabled
Any advise as to what
Cathy Zhang zhangclca...@gmail.com wrote:
# Check direct query for RRSIG: If it's not cached with other records,
# it should result in an empty response.
Why shouldn't recursive server return RRSIG RRs to the client?
An RRSIG is part of the RRset that it signs, and the whole thing
Daniel McDonald dan.mcdon...@austinenergy.com wrote:
08-Jul-2011 08:55:58.700 dnssec: info: validating @0xb4260ad8:
ips.backscatterer.local SOA: got insecure response; parent indicates it
should be secure
I¹m not really certain which parent is reporting this
The root zone says that .local
fddi f...@gmx.it wrote:
how to avoid these useless notification ?
notify master-only
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Viking: Easterly, becoming variable, 3 or 4. Slight or moderate. Rain or
thundery showers. Good, occasionally poor.
Daniel McDonald dan.mcdon...@austinenergy.com wrote:
; DiG 9.8.0-P4 @localhost ips.backscatterer.local ds
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26308
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
Jonathan Kamens j...@kamens.us wrote:
I said above that the problem is exacerbated by the fact that many DNS servers
don't yet support IPV6 queries. This is because the queries don't get
NXDOMAIN responses, which would be cached, but rather FORMERR responses, which
are not cached. As a
Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/22/2011 09:50 AM, Feng He wrote:
Given the MX hosts for sympatico.ca domain:
$ dig sympatico.ca mx +short
5 mxmta.sympatico.ca.
$ dig mxmta.sympatico.ca +short
67.69.240.17 [ and several others ]
when the peer MTA fail to talk
The nsdiff program examines old and new versions of a DNS zone and
outputs the differences as a script for use by BIND's nsupdate program.
It allows you to continue to manually maintain flat text master files as
before, and feed the changes you make into named's easy dynamic DNSSEC
support.
This
To use `rndc addzone`, named needs to be able to write to the zone
configuration file in its working directory, called 3bf305731dd26307.nzf
for the _default view. Both named and the user invoking rndc need to be
able to read the rndc.key file which is usually in /etc. You need to
create the zone's
Marc Lampo marc.la...@eurid.eu wrote:
Meaning that that it actually does not re-verify,
once data was found to be OK and allowed in the cache.
The point of a cache is to avoid network round trips to re-fetch or
re-validate data while it is in the cache. The DNS protocol tells the
cache how
Frank Bulk frnk...@iname.com wrote:
Would be nice if the error output or log would indicate such failures.
Yes, indeed!
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty, Forth, Tyne, Dogger: Variable 3 or 4, becoming northwest 4
or 5 later in Dogger. Slight,
Phil Mayers p.may...@imperial.ac.uk wrote:
I first create and publish a new ZSK with no activation date. After waiting
the requisite amount of time, I use dnssec-settime:
dnssec-settime -A Knewid
dnssec-settime -I Koldid
rndc sign zone
...and bind immediately starts using the new key for
Lyle Giese l...@lcrcomputer.net wrote:
zone chaseprod.local{
type forward;
forwarders {10.0.100.205;};};
This seemed to work until I added some stuff for DNSSEC to my named.conf.
In order to forward a zone in the presence of DNSSEC validation, the zone
has to have a valid
Jaap Akkerhuis j...@nlnetlabs.nl wrote:
Additionally .local is reserved for mDNS ..
Can you give some references?
http://tools.ietf.org/html/draft-chapin-rfc2606bis
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Lundy, Fastnet: West or southwest, 6 to gale 8, decreasing 5
michoski micho...@cisco.com wrote:
It's basically a risk analysis game. You should be able to think through
common use cases for your service, and identify places where DNSSEC would
add value. Your business values validity of its DNS data, or not.
Apart from protecting the DNS itself, there
Ken Schweigert shaw...@gmail.com wrote:
logging {
...
channel dev_null_log {
file /dev/null;
};
…
category lame-servers { dev_null_log; };
…
Use the built-in null channel instead.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Irish Sea: South or
I have been playing with the new inline signing feature.
Documentation bug: the inline-signing option is not mentioned in the
syntax for slave zones.
I have not been able to get master inline signing working. Firstly, it
fails to create the signed copy of the zone automatically. If I create it
Bill Owens ow...@nysernet.org wrote:
However, in this case I believe your problem is the lack of NS records
in nau.edu for extended.nau.edu. It's difficult to know for sure, but it
appears that the only signature for the NS RRSET is using the ZSK for
extended.nau.edu, not the ZSK for nau.edu.
Michael Sinatra mich...@rancid.berkeley.edu wrote:
There are ways of getting the DS records into the zone(s). Here are some
steps that I took on some test zones:
Alternatively, set update-policy local; on your parent zone and use this
little pipeline on the master server. Substitute $parent
Raymond Drew Walker ray.wal...@nau.edu wrote:
In testing, this pipe sets up the following for nsupdate which fails:
Sorry, I forgot the TTL command. Adjust its value as you require...
dig +noall +answer dnskey $child |
dnssec-dsfromkey -f /dev/stdin $child |
(echo zone $parent; echo ttl
McConville, Kevin kmcconvi...@albany.edu wrote:
1) Is there any way to have the zsk be auto-generated based upon the
inactive date listed in the zsk meta-data?
Not yet, though I believe this feature is on the wish list.
2) With a static zone, are the update-policy local and auto-dnssec
Sergio Charpinel Jr. sergiocharpi...@gmail.com wrote:
After suplying DS and the respective NS record for subdomain in the
parent zone (domain.com), it works.
That sounds like you had no delegation RRs in the parent zone. In that
case the parent zone will contain a secure denial of existence of
Raymond Drew Walker ray.wal...@nau.edu wrote:
After reading this, RFC1034, and conferring with the original implementor
of DNS at our institution, I have a better wrangle on the NS issue. Child
zone NS records were never populated in the parent because all zones were
under the same name
Jan-Piet Mens jpmens@gmail.com wrote:
Any ideas or suggestions?
Not a practical one, but there are moves towards a standard nameserver
control protocol:
http://tools.ietf.org/html/rfc6168
http://tools.ietf.org/html/draft-dickinson-dnsop-nameserver-control
Spain, Dr. Jeffry A. spa...@countryday.net wrote:
From time to time I want to review the current state of the zone files.
I have been accustomed with v9.8 to taking a copy of a signed zone file
and stripping out the DNSSEC-related records in a text editor for easy
review.
I use `dig axfr
Jan-Piet Mens jpmens@gmail.com wrote:
On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote:
I use `dig axfr dotat.at | grep -v RRSIG`
... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM
I think it is more useful to see those records than to spend effort
stripping them
Chris Thompson c...@cam.ac.uk wrote:
If we are trying to turn Tony's ad hoc command into something publishable,
See the loadzone, axfrzone, and cleanzone functions in
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff
Writing code to process arbitrary zones is a rather different
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
Is it possible to update DNSSEC-signed domain, re-sign and generate small
differencies to be transferred by IXFR?
Yes, it just works with no special effort if you use dynamic updates and
auto-dnssec maintain.
Tony.
--
f.anthony.n.finch
Bryton bry...@tznic.or.tz wrote:
I wonder if anyone has ever got the error
In my logs I have some of this:
25-Nov-2011 11:23:00.332 dnssec: info: validating @0xabe00470: uofk.edu MX: bad
cache hit (uofk.edu/DNSKEY)
Which is fairly nicely explained by this:
Marek Kozlowski kozlo...@mini.pw.edu.pl wrote:
OK. Let's assume I have only one primary and only one secondary DNS. I
have two views on my primary. May I set up the secondary one for two
views as well I make it fully synchronized to the primary one? (AFAIK
for `allow-transfer' I specify IP
Dan McDaniel d...@dm3.us wrote:
I'm setting up a new DNS server. We have two offices linked by a VPN.
I'm trying to decide whether to have everything under a single domain
(example.com) or to split them into sub-domains (office1.example.com,
office2.example.com).
If your DNS is mostly static
Evan Hunt e...@isc.org wrote:
I'd recommend checking the next four octets as well; they'll be 00 00 00 00
or 00 00 00 01. The first of those is the format that's always been used
up to now; the second is the format that will be used in 9.9.0, starting
with the next beta.
Would it be
nsdiff is an add-on tool for BIND that compares old and new versions of a
zone and generates an nsupdate script that turns the old version into the
new version. It is designed to bridge the gap between static master files
and dynamic DNS updates, making it easier to use auto-dnssec maintain.
Irwin Tillman ir...@princeton.edu wrote:
What's the recommended approach?
My empty zone is:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NSlocalhost.
I also have a localhost. zone (RFC 2606) which is:
@ SOA localhost. root.localhost. 1 1h 1000 1w 1h
NSlocalhost.
A
Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I prefer defining 127.in-addr.arpa and inside:
1.0.0 PTR localhost.
I used to do that, but I need fewer zone files if I use the same reverse
zone for v6 and v4 :-) I have fairly extensive setup for bogons, and I
have set up empty zones to cover
Howard Leadmon how...@leadmon.net wrote:
So I guess my million dollar question is, I want to use DNSSEC (it's
actually working now), but I want to be able to edit my zone files the way I
always have for many years, and just have BIND sign the zones with the keys
and update as needed to keep
Phil Mayers p.may...@imperial.ac.uk wrote:
Something like Tony's nsdiff script (see his post) makes it relatively easy,
but it's still another step.
It's more like a replacement step: run nsdiff | nsupdate instead of rndc reload.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Sten Carlsen st...@s-carlsen.dk wrote:
Good news is that you should simplify your bogon list, lots of those
addresses are now actually in use; e.g. I have regular visits on my
pages by 2.x.x.x as they are now mostly handed out (local ISP here) and
in legitimate use.
My bogon list only
Mark Elkins m...@posix.co.za wrote:
I also see...
$TTL 0 ; 0 seconds
TYPE65534 \# 5 ( 08467D0001 )
TYPE65534 \# 5 ( 0896730001 )
appearing on a secondary for this zone. What is it?
(Yes - an unknown data type - the secondary is running bind
Alan Clegg a...@clegg.com wrote:
Just be sure to watch for the extra SOA record. :)
Or use dig axfr +onesoa ...
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
South-east Iceland: Southerly 5 to 7, occasionally gale 8, but variable 4 at
first and later in west. Very rough,
Spain, Dr. Jeffry A. spa...@countryday.net wrote:
Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com)
doesn't appear to offer DNSSEC validation, and 78.46.213.227
(rms.coozila.com) doesn't respond to my query at all.
It's worse than that. Google Public DNS doesn't support
Samer Khattab skhat...@gmail.com wrote:
What is BIND internal logic when such a series of queries are received, and
why it would not answer to all requests.
Each query in progress from a given client must have a different ID, so
queries with the same ID are logically the same query which only
William Thierry SAMEN thierry.sa...@gmail.com wrote:
I'm triying to sign a zone on Bind 9.8-P1 but i have this message:
*dnssec-signzone: fatal: key myKSK.key not at origin*
It means the zone name in the key is not the same as the zone you are
signing.
Tony.
--
f.anthony.n.finch
William Thierry SAMEN thierry.sa...@gmail.com wrote:
My file zone:
Er this looks like a key file, not a zone file. The key has been generated
incorrectly: it has a file name where the zone name should be.
; This is a zone-signing key, keyid 12762, for *../etc/toto.com.*
; Created:
William Thierry SAMEN thierry.sa...@gmail.com wrote:
dnssec-signzone: error: dns_master_load: ../etc/toto.com:12: toto.com: not at
top of zone
dnssec-signzone: fatal: failed loading zone from '../etc/toto.com': not at
top of zone
This is because your zone uses an include directive to
Chris Thompson c...@cam.ac.uk wrote:
More directly, http://www.cs.indiana.edu/classes/b649-gupt/kangLiNDSS12.pdf
This is definitely worth reading, being an interesting new twist on a
fairly old theme.
Paul Vixie was trying to do something about risks in this area a couple of
years ago:
dE . de.tec...@gmail.com wrote:
Firstly, where do we get the public key for the DS records?
A zone's DNSKEY RRset contains its public keys, and these are hashed to
make its DS records. For example,
$ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
isc.org. IN DS 12892 5 1
dE . de.tec...@gmail.com wrote:
Ok, so the DS record is not encrypted.
DNSSEC is about signatures: nothing is encrypted. DS records are signed:
a DS RRset has an RRSIG. For example,
; DiG 9.8.1-P1 +multi +dnssec DS isc.org
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY,
Spain, Dr. Jeffry A. spa...@countryday.net wrote:
Which of these alternative empty zones should be used in the current DNS
environment and why?
In my named.conf I have set up empty zones for the whole of 240/4. I view
RFC 6303 as the minimum necessary for a hygienic name server, but there
are
1 - 100 of 986 matches
Mail list logo
