to use is https://dnsviz.net
It's graphical, detailed and while oriented toward DNSSEC, detects many
other misconfigurations.
Fix the errors and warnings shown at
https://dnsviz.net/d/mofa.gov.bd/dnssec/ and retest.
Timothe Litt
ACM Distinguished Engineer
walk the zone. (And also how to use DNS
UPDATE to maintain it.)
Enjoy.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signa
elds in the records.
https://github.com/tlhackque/certtools has a simple utility called
acme_token_check that does (c) to remove stray ACME records - it shows
how to do the transfer and walk the zone. (And also how to use DNS
UPDATE to maintain it.)
Enjoy.
Timothe Litt
ACM Distingui
end of the string, e.g., a base 64 string
terminated with "===", the excess pad characters could be ignored.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
adoption, keeps the user base small, validates the "don't do much"
strategy, and - catch-22, DNSSEC doesn't expand beyond the hardcore techies.
The problem is politics, not technology.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not
Apparently I didn't include the DNS script library link mentioned in my
note. Sorry.
https://github.com/srvrco/getssl/tree/master/dns_scripts
On 29-Dec-22 13:45, Peter wrote:
On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote:
! (Manual processes
! are error-prone. That getting
On 29-Dec-22 13:45, Peter wrote:
On Thu, Dec 29, 2022 at 09:17:26AM -0500, Timothe Litt wrote:
! (Manual processes
! are error-prone. That getting registrars to adopt CDS/CDNSKEY - RFC7344 -
! has been so slow is unfortunate.)
Seconded. Do You have information about this moving at all
8 2
2E81A125523957ED2C3076B4E58BE159027F659D74E184E2F0B81D922D1E7FA9|
So, as I concluded, AWS was generating a DS for a different "key". Its
keytag was correct for the data it got.
Glad you got to a solution.
Timothe Litt
ACM Distinguished Engineer
--
This comm
ou might also consider using a different key experimentally, on the off
chance that a wrong keytag bug is data-dependent.
But the most likely scenario is that somehow AWS is generating a DS for
a different key.
I don't use AWS, so that's as far as I can go.
Good luck.
Timothe Litt
ACM
graphy. DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92 2D1E7FA9")->keytag,"\n"'
Enjoy.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discuss
aphy. DS 22755 8 2
2E81A1255ED2C3076B4E58BE159027F659D74E184E2F0B81D92
2D1E7FA9")->keytag,"\n"'_
22755_
|
|perl -MNet::DNS -MNet::DNS::SEC -e' print
Net::DNS::RR->new("ericgermann.photography. DNSKEY 256 3 15
9SM6gMjImcK0sKPvIlEr9ZNKxsqmSL9zO7P9kZTH8XQ=")
an external process. In any case, using "include" in configurations
can help to modularize/isolate the places where IP addresses are used.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if a
, a pointer to one of the usual platforms.
(GitHub, GitLab, sourceforge, etc).
The community works best when everyone contributes what they can.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters
to resolve \"${HOST}\" \"$TYPE\"" >&2
exit 1
fi
if [ -z "$IP" ]; then
echo "Failed to resolve \"${HOST}\" \"$TYPE\"" >&2
exit 1
fi
sed -i "${CONF}.tmp
f aren't in redhat distributions.
You may need to use auditing to identify what is writing the file.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 03-Aug-22 14:39, Robert M
Try
echo -e "[main]\ndns=none" > /etc/NetworkManager/conf.d/no-dns.conf
systemctl restart NetworkManager.service
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discusse
happens (if it still does - it could be that the ATT router's
resolver is at fault).
Intermediate step would be to use dig.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed
responsive.
FWIW
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/mailman/listinfo/bind
olvers all on the same page. I'm not holding my breath.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
--
V
On 02-Aug-22 13:18, Peter wrote:
On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
!
! On 02-Aug-22 11:09,bind-users-requ...@lists.isc.org wrote:
!
! > | Before your authoritative view, define a recursive view with the internal
! > ! zones defined as static-stub, match-rec
, but those are site-specific.
You can also slave the root zone - that's orthogonal to AD.
I suggest taking one step at a time.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
defective/compromised...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/mailman/listinfo
c-stub;\n
server-addresses { 127.0.0.1; }; \n}; \n"}' >internal_stub_zones.conf|
will generate the static-stub declarations.
Of course, depending on how you add/remove zones, YMMV.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not repr
post the details.
Since this has indeed come full circle, I'm done.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital
:-)
Still, overall DNS seems to generate more problems than fun, so if LOC
provides amusement, it's a good thing.
Malheureusement, LOC's practical application remains unclear.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my
On 01-May-22 05:03, Bob Harold wrote:
On Wed, Apr 13, 2022 at 9:39 AM Bjørn Mork wrote:
Timothe Litt writes:
> Anyhow, it's not clear exactly what problem you're asking LOC (or
> anything) to solve.
Which problems do LOC solve?
I remember adding LOC records f
BTW, RFC1876 is worth reading for the suggested search algorithms. I
don't think it ever moved from "experimental", which may be part of why
uptake hasn't been great.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or
choice than LOC records.
GPS tells you where you are; LOC tells everyone else...
HTH
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP
ortant not to jump to conclusions...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/m
do yourself (and your successors) a favor and document the problem you
encounter and how your solution works...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signa
help.
Perhaps further discussion of this belongs elsewhere...it seems to be
wandering from BIND.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
OpenPGP_signature
ules. At
least 2 servers in two places. That's true no matter what protocols you
use. There are backup DNS services that support IPv6. A free one that
supports both IPv6 and DNSSEC is puck.nether.net/dns.
There are plenty of DNS books/guides. I'll let someone else do the reviews.
on the records.
It's easier, doesn't stop service, and because it automates the
mechanics, safer.
BTW: I recommend using TSIG for authorization with nsupdate rather than
IP addresses.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my
On 10-Sep-21 13:11, Evan Hunt wrote:
> Recently a critical bug was discovered in which map files that were
> generated by a previous version of BIND caused a crash in newer versions.
> It took over a month for anybody to report the bug to us, which suggests
> that the number of people willing to
data structure that didn't require "updating node
pointers" (e.g. that used offsets instead of pointers) may be worth
considering. In current hardware and with a decent compiler and coding,
the apparent cost of this over absolute pointers may well be vanishingly
small.
OK, that was
On 10-Sep-21 08:36, Victoria Risk wrote:
>
>
>> On Sep 10, 2021, at 7:24 AM, Timothe Litt > <mailto:l...@acm.org>> wrote:
>>
>> Clearly map format solved a big problem for some users. Asking
>> whether it's OK to drop it with no statement
t restart times are acceptable for
their environment - obviously a function of the number and size/content
of zones. And is a restart "all or nothing", or would some
priority/sequencing of zone availability meet requirements?
Timothe Litt
ACM Distinguished Engineer
--
This commu
BIND won't support windows, that
WSL is imperfect, and that an alternative to complaining might be
helpful... Feel free to s/Linux/(Solaris|FreeBSD|VMS|yourfavorite/g.
I don't have a need for BIND (except the tools) under Windows, so I'm
not volunteering to implement this.
FWIW.
Timothe Li
addresses wrong. (Didn't have many
IPv6.) root.hint really IS stable - and so, therefore, are the named
built-ins.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 03-Ju
o make DNS queries[no, not named!], including control) - yes:
prefer to keep
FWIW - YMMV.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 29-Apr-21 07:35, Ondřej Surý w
e.org/web/20201223034301/https://www.zytrax.com/books/dns/>
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 20-Apr-21 19:09, Victoria Risk wrote:
> Ron Aitchinson called me thi
On 16-Dec-20 13:52, Tim Daneliuk wrote:
> On 12/16/20 12:25 PM, Timothe Litt wrote:
>> On 16-Dec-20 11:37, Tim Daneliuk wrote:
>>> I ran into a situation yesterday which got me pondering something about
>>> bind.
>>>
>>> In this case, a single line i
ning,
> just trying to understand for future reference.
>
> TIA,
> Tim
DNS is complicated. The scope of an error in a zonefile is hard to
determine.
To avoid this, your automation should use named-checkzone before
releasing a zone file.
This will perform all the checks that na
tment, since broken DNS is externally visible - and frequently
catastrophic."
I'll finish with a 1987 quote from Leslie Lamport on distributed
systems, which the DNS most certainly is:
"A distributed system is one in which the failure of a computer you
didn't even know existed can render y
ps://tools.ietf.org/html/rfc2182) is fairly readable and
describes many of the considerations involved in selecting secondary DNS
servers.
DNS appears deceptively simple at first blush. Setting up a serviceable
infrastructure requires an investment of thought and on-going
maintenance. You will not be h
orld...) While full automation can be fun,
it's amazing how much one can get out of a spreadsheet with/autofilter.
(For the next level, pivot tables and/or charts...)
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer
what you intend. Use -b to explicitly bind to a
particular interface.
(Or, if you use TSIG to match views, -k)
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matter
or AMD cpu since ~2015 has
RDRAND/RDSEED.
There are some religious arguments about booby-trapped hardware sources -
these days, kernels will mix all sources, so I don't get too upset. But
YMMV.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represe
to
do (TSIG-signed) updates.
As for the next layer - XML or whatever - that's another project. If
you speak Perl, it would not be difficult to wrap Net::DNS to meet your
needs.
P.S. Other than using it (and reporting the occasional bug), I have no
relationship with Net::DNS :-)
Timothe Litt
ACM
Er,
dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>.
is missing a record type. The default is A.
dig _acme-challenge.imap.lrau.net <http://acme-challenge.imap.lrau.net>. txt
will likely give you better results
Timothe Litt
ACM Distinguis
ort, which may be worthwhile if
it allows you to concentrate on your unique value proposition.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 22-Feb-20 20:25, Scott A. W
ied should be produced.
--fix would shift the burden of finding the affected options from the
user to software - making it (a) more likely to happen (b) easier -
especially for configurations that span dozens (or hundreds) of
'include'd files.
I don't think there's a single universal solution to h
"only zone, not
options or view".
My 3.5¢ (USD, but your local currency will do :-)
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 17-Mar-19 16:37, Alan Clegg
s, or ideas that work in one context but not
another.
They're responsive to criticism & contributions. But name-calling is
generally not an
effective way to get anyone to help you.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my
On 11-Mar-19 03:52, Mark Andrews wrote:
> Because you removed the key from disk before it was removed from the zone.
> Presumably named
> was logging other error messages before you removed the key from disk or the
> machine was off
> for a period or you mismanaged the key roll and named keep
ot helpful. Even though they are
correct in other contexts.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
> On 12-Feb-19 17:45, Kevin Darcy wrote:
> Define root zone
set up distinct
address pools - and possibly VLANs.
DNS is the wrong hammer for this nail.
Whether you should hammer the nail at all is a political, not a
technical issue.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer'
On 30-Nov-18 08:14, Erich Eckner wrote:
> On 30.11.18 12:26, Timothe Litt wrote:
>> On 30-Nov-18 06:04, Erich Eckner wrote:
>>> Hi,
>>>
>>> I'm running a bind9 name server (9.13.4 on debian) which forwards some
>>> zone (onion.) to tor's name serv
.
You have to ask explicitly for the record types that you want.
Many people have fallen into the trap of thinking that an ANY query will
return all records in the DNS, and assume that therefore it can be used
to make fewer queries. You're not the first.
Any software (or wetware) that relie
not in anyone's interest when people post obfuscated
questions...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
signature.asc
De
on the minutiae of BINDs
implementation.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 12-Nov-18 14:39, Marcus Frenkel wrote:
> Thank you for the quick reply Tony!
>
> Fo
NA.
[Although this is a security issue, I'm not revealing anything new
here. The commit is 12 years old. It has been standard advice for many
years not to run these services on the public internet. If anyone IS
running them(I think NIST is still running the time services), they
should know the risk, and
On 27-Jul-18 11:59, Elias Pereira wrote:
> hello,
>
> Can an authoritative dns for a domain, eg mydomain.tdl, have a
> hostname, example, wordpress.mydomain.tdl with a private IP?
>
> Would this be accessible from the internet via hostname, if I did a
> nat on the firewall?
>
> --
> Elias
ve checks (dnsviz is oriented around DNSSEC, but
does many other checks).
It's a good idea to run one or the other regardless of this point
issue. Actually - I run both.
Of course the usual caveats about stealth (unlisted) servers apply.
Timothe Litt
ACM Distinguished Engineer
-
the best long-run option. If
you can't, (or are encouraged not to by other customers), you could
solve a lot of the customer pain by making the provider loadable.
For entropy, I use a mixture of USB keys and CPU hardware generators.
As I may have mentioned, I use EntropyBroker to distribute
On 30-May-18 17:27, Victoria Risk wrote:
> Hello GeoIP users,
>
> We are aware that Maxmind is discontinuing their older free GeoLite
> location database and replacing it with a new database with a new
> format (GeoLite2). https://dev.maxmind.com/geoip/geoip2/geolite2/
>
> We have an issue open
On 18-Apr-18 09:51, Admin Hardy wrote:
>
> I would be so grateful of your help in this issue.
>
> I am running BIND 9 on Windows 7
> Service "ISC BIND" shows as started up
>
Warren's right. And change your rndc-key's secret ASAP.
Timothe Lit
.
noc.esgob.com has a recently expired certificate, and redirects to one
line text page (his name).
The github repository is empty.
So it appears to be defunct.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
i
rature & PCB layout), so 5 min/month. TSIG fudge is
nominally 5 min, so resyncing every 1-2 weeks is close enough. And also
close enough for sane DNSSEC configurations. You can resync more often,
but it's a fair bit of bit-banging on a slow bus (I2C or SPI for most),
and there's no point.
adafruit.com/?q=ultimate%20gps - I'm not affiliated with
Adafruit, and while I've looked at the specs, don't have direct
experience. YMMV.
Enjoy.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on th
ake sure that dependencies on a valid time are
properly expressed in your startup scripts.
Bottom line: your problem is getting a reasonable time, not with the
consumer(s).
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my empl
On 17-Nov-17 18:04, Mark Andrews wrote:
> DYN used to just require a TSIG signed update request set to a server
> specified in
> a SRV record.
Depends on which service. The one I referred to is the one that was
popular (free) for people who wanted to reach a machine on a dynamic IP
address.
On 17-Nov-17 14:48, Mark Andrews wrote:
> Alternatively use a http server that can update the records for the
> interfaces it is listening on.
>
> This sort of thing is possible. Named gets informed by the OS when addresses
> get added and removed. It currently just adds and removes listening
them... The effort of
maintaining a private copy of the root hints isn't worthwhile.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 09-Sep-17 23:14, Stefan Sticht wrote:
> H
On the original topic, it would be nice to have a dig option that
returned both A and with one command.
Since it does this, I tend to use 'host' (note that host -v gives the
same response detail as dig -t A ; dig -t ; and dig -t MX).
On the other remarks, inline.
On 14-Jun-17 21:09,
if they'll fix your
address. https://support.maxmind.com/geoip-data-correction-request/
They may require evidence that Comcast has delegated the address to you.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if an
akes a distinction...you get to pick one for everything.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
___
Please visit htt
On 04-Feb-17 04:27, Phil Mayers wrote:
> On 03/02/17 16:45, Mukund Sivaraman wrote:
>
>> The query log is getting more fields at the end of it such as
>> CLIENT-SUBNET logging.
>
> Although it would be super-disruptive, has any thought been given to
> moving to an entirely new log format, for
ules]
If this is correct, the project website for Eagle DNS would appear to
be: http://www.unlogic.se/projects/eagledns
It seems a rather odd choice for a .gov (US Health and Human Services)
owned domain...though one never knows what IT outsourcing will produce :-)
Timothe Litt
ACM Distinguishe
s a lot of work, or the next
technology comes along. To misappropriate a K quote - "Your constant
is my variable". Or the ever popular "If you don't take the time to do
it right, you'll have to make the time to do it over...and over again".
Timothe Litt
ACM Distinguished Engineer
--
arpa//IN':
> 2a01:8000:1ffa:f003:bc9d:1dff:fe9b:7466#53
> 23-Dec-2015 13:20:54.398 lame-servers: info: broken trust chain resolving
> '1.0.0.0.3.2.1.0.0.0.0.0.0.0.0.0.2.0.0.f.a.f.f.1.0.0.0.8.1.0.a.2.ip6.arpa/A/IN':
> 217.168.153.95#53
>
> T
enssl. Make sure that you
have the openssl-dev RPMs installed. Don't try to build that from
source; RedHat heavily patches it & other packages depend on the changes.
Switching to the RedHat version of named may be your best option. This
should not be difficult; make uninstall; yum in
on't have too many patch
conflicts to resolve. After you've done this once or twice, you'll want
to revisit you need for local changes - either decide they're not that
important, or offer them to ISC. Maintaining a private version is work.
Timothe Litt
ACM Distinguished Engineer
--
case, report a bug in the log manager's config -
named's own log file management avoids all those hassles.)
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 24-Aug-15 17:55
On 20-Aug-15 10:50, /dev/rob0 wrote:
On Thu, Aug 20, 2015 at 02:07:57PM +0200, Robert Senger wrote:
There are a number of providers out there offering secondary
dns services for free or for a few bucks/month. Even DNSSEC
is possible for free.
This is good news! I knew there were several good
that bind is happy to create and resolve similar names...
Oh, and the third record does resolve, which makes me suspicious of
the name length.
Any ideas on this mystery?
--
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my
, they refuse to escalate. I've made an
out-of-band
attempt to get the attention of their management.
FWIW, bind is quite happy to accept these names in a domain where I run
my own
servers.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM
, which is why I stepped into the support
morass. I'm tempted
to move the domain to my own servers, but I really hate to let vendors
get away with
customer-unfriendly support. Other people don't have the same ability
to fight back.
Timothe Litt
ACM Distinguished Engineer
to generate TLSA records. And it supports SPKI
selectors... So you might
want to point to it.
I'll try to have a closer look later.
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters
On 19-Nov-14 19:03, Graham Clinch wrote:
Hi Casey List folks,
My apologies - this was actually a bug in DNSViz. The NSEC3 computation
was being performed on the wrong name (the wrong origin was being
applied). It should be fixed now, as shown in:
On 27-Aug-14 20:35, Doug Barton wrote:
On 8/27/14 3:03 PM, Timothe Litt wrote:
So you really meant that validating resolvers should only consult DLV if
their administrator knows that users are looking-up names that are in
the DLV? That's how I read your advice.
You're correct.
I don't see
On 27-Aug-14 14:54, Doug Barton wrote:
On 8/26/14 10:35 AM, Timothe Litt wrote:
I think this is misleading, or at least poorly worded and subject to
misinterpretation.
I chose my words carefully, and I stand by them.
The OP was asking about configuring a resolver (bind's).
Where I thought
would seem to produce more sensible behavior than
dropping every 5i-th packet. And for it to make any sense at all, it
must be adjusted per server, not globally...
Or I'm missing something, in which case the documentation needs some
more/different words :-(
Timothe Litt
ACM Distinguished Engineer
. (Including routine builds
during development.)
Including ARM - native and cross-compiled - would support parts of the
community that don't get much attention (nor make much noise.)
Embedded and cross-architecture compilers.
Timothe Litt
ACM Distinguished Engineer
. if read from a zone file, pick a
salt, treat the record as if loaded with that value, and do all the
requisite (re-)signing.)
I'm copying bind9-bugs so this doesn't get lost. Please don't copy that
list if you comment on this. (Careful with that 'reply all'!)
Timothe Litt
ACM Distinguished
On 06-Feb-14 09:14, Klaus Darilion wrote:
On 06.02.2014 14:58, Cathy Almond wrote:
On 06/02/2014 12:58, Timothe Litt wrote:
On 06-Feb-14 05:56, Cathy Almond wrote:
On 05/02/2014 18:54, David Newman wrote:
The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
time a zone's
larger than they were in years past.
--
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
are DNSSEC signed)
transfer just fine.
Not helpful without my configuration? That's the point. Post yours
with the log messages showing the transfer attempts failures and maybe
someone (else) will help.
Timothe Litt
ACM Distinguished Engineer
--
This communication may
costs less because
you kept all the bootstrapping supplies.
Further discussion should probably find another list...
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 19
ago (and could resend).
Since you're obviously in the code, would you re-consider this? It's
pretty straightforward, it simply selects a subset of the data in the
(then-) existing flow.
Thanks on both counts.
Timothe Litt
ACM Distinguished Engineer
--
This communication
1 - 100 of 122 matches
Mail list logo
