Re: Master file permission denied

2023-06-28 Thread Danilo Godec via bind-users
Hello, I think chmod ug+x /etc/bind/zonas/ should solve the issue by giving the owner (bind) and the group (bind) permissions to enter the directory.   Danilo On

Changing DNS servers (name only) for a DNSSEC enabled domain

2023-02-13 Thread Danilo Godec via bind-users
Hello, in the near future I will have to change NS records for one of my domains, as DNS servers currently use an old domain (not mine), that will be phased out. DNS servers will actually remain the same, only the domain name will change. So, basically: * mydomain currently uses

Re: Changing the DNSSEC algorithm

2022-04-06 Thread Danilo Godec via bind-users
, Petr 1. https://bind9.readthedocs.io/en/v9_16_27/dnssec-guide.html 2. https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch04.html#dnssec.dynamic.zones On 4/5/22 09:07, Danilo Godec via bind-users wrote: Hello

Re: Changing the DNSSEC algorithm

2022-04-06 Thread Danilo Godec via bind-users
On 6.4.2022 8:52, Daniel Stirnimann wrote: Hello Danilo, A simple schema to change DNSSEC algorithms is as follows: 1. Add new KSK/ZSK and double sign DNSKEY and all zone RRs with both the new and old algorithm 2. Replace DS at parent 3. Remove old DNSKEY and all RRSIGs from the old

Changing the DNSSEC algorithm

2022-04-05 Thread Danilo Godec via bind-users
Hello, I implemented DNSSEC for my personal domain a good while ago with an older Bind and back then, I used RSASHA1-NSEC3-SHA1 algorithm, which by now is not recommended... So I'm going to change the algorithm, probably to ECDSAP256SHA256, which should also be NSEC3 capable. Since my

dnssec rookie question

2022-01-10 Thread Danilo Godec via bind-users
Hello, today I implemented DNSSEC for a domain - by that I mean that the DS records have been published / added to TLD DNS today, while the zone has been signed a couple of days ago. So a couple of hours later I went to https://dnsviz.net to see if everything seems OK and it reports one

Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

2021-12-30 Thread Danilo Godec via bind-users
On 29. 12. 21 19:24, tale wrote: On Wed, Dec 29, 2021 at 5:31 AM Danilo Godec via bind-users wrote: I have an authoritative DNS server for a domain, but I was also going to use the same server as a recursive DNS for my internal network, limiting recursion by the IP. Apparently, this is a bad

DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

2021-12-29 Thread Danilo Godec via bind-users
Hello, I have an authoritative DNS server for a domain, but I was also going to use the same server as a recursive DNS for my internal network, limiting recursion by the IP. Apparently, this is a bad idea that can lead to cache poisoning... After watching a Computerphile Youtube video

Millions of './ANY/IN' queries denied

2021-12-15 Thread Danilo Godec via bind-users
Hello, I'm noticing some unusual activity where 48 external IPs generated over 2M queries that have all been denied (just today): 15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied 15-Dec-2021 00:01:42.023

Re: CNAME query

2021-09-23 Thread Danilo Godec via bind-users
Don't know if that helps, but if I query my local Bind DNS for a CNAME, that doesn't exists, dig gives me the SOA record: > dig cname nonexisting.example.com @mydns ; <<>> DiG 9.16.6 <<>> cname nonexisting.example.com @mydns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,

Problem resolving

2021-09-16 Thread Danilo Godec via bind-users
Hello, I recently stumbled upon a problem trying to update my root hints file from *ftp.rs.internic.net*. For some reason, one of my DNS servers running on Alpine Linux, can't resolve this name properly and always fails: # ping ftp.rs.internic.net ping: ftp.rs.internic.net: Try again nslookup