Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Thanks Mark. It's right there in the log. Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Named will tell you which DNSSEC algorithms it supports. Depending upon the OS and its configuration this may differ. DNSSEC algorithms: RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 vs DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Would this be true for FreeBSD as well? I also have a bind 9.18.24 instance running on freeBSD and it seems to be ok. Bob > The crypto policy stuff ultimately creates and maintains files in /etc/crypto-policy/backends, which has a list of acceptable or not-acceptable crypto settings. > Whilst

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

From: bind-users on behalf of John Thurston Date: Thursday, 18 April 2024 at 06:39 To: "bind-users@lists.isc.org" Subject: Re: Answers for www.dnssec-failed.org with dnssec-validation auto; Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock had fallen on my h

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock had fallen on my head. I know I can re-enable SHA1 for everything on the host with: update-crypto-policies --set DEFAULT:SHA1 But that's a fairly broad stroke, when only 'named' needs to accept such signatures. Is

Re: Answers for www.dnssec-failed.org with dnssec-validation auto; (John Thurston)

My bind 9.18.24 server runs under Debian. When I query with dig it appears to take long enough to resolve that it goes to the next DNS server in the client's IP stack. The secondary server in my list is quad9. It seems to resolve correctly. If I point to the address of my Debian server, it works

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

testPrimary-key";     }; }; options {     directory "/var/opt/testPrimary/named/data";     dump-file "cache_dump.db";     listen-on port 1053 {     127.0.0.1/32;     };     querylo

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

he_dump.db";     listen-on port 1053 {     127.0.0.1/32;     };     querylog yes;     dnssec-validation auto;     empty-zones-enable no;     recursion yes; }; key "ns88-testPrimary-key" {     algorithm "hmac-sha256";     secret "

Re: Answers for www.dnssec-failed.org with dnssec-validation auto;

On 17/04/2024 11:41, John Thurston wrote: I'm seeing strange behavior with a BIND 9.18.24 resolver and dnssec-failed.org. With no dnssec-validation line (or with "dnssec-validation auto") in the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected . . until

Answers for www.dnssec-failed.org with dnssec-validation auto;

I'm seeing strange behavior with a BIND 9.18.24 resolver and dnssec-failed.org. With no dnssec-validation line (or with "dnssec-validation auto") in the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected . . until it doesn't. After several seconds of answering S

FW: dnssec-validation? SOLVED

Hello. I just want to say everything seems to be working on my domain, and my primary dns server already performs validation Dnssec-validation is set to auto, like on the secondary dns, and it's working. When I perform Dig @dns www.dnssec-failed.org it already returns SERVFAIL and the rest seems

RE: dnssec-validation?

named.conf on the primary and secondary server to find why dnssec-validation needs to be off on the primary. Thanks! David -Original Message- From: Mark Andrews Sent: 14 April 2023 02:35 To: David Carvalho Cc: Evan Hunt ; bind-users@lists.isc.org Subject: Re: dnssec-validation?

Re: dnssec-validation?

r my > domain. > > A few months ago I updated both dns servers to Oracle Linux 8, running BIND > 9.16.23 to prepare for this. > They seem to be working fine as previously, running as both recursive and > authoritative for di.ubi.pt. > > DNS2 has still "dnssec-validation a

RE: dnssec-validation?

and reload, I would stick with this version. Regards David -Original Message- From: Evan Hunt Sent: 13 April 2023 18:08 To: David Carvalho Cc: bind-users@lists.isc.org Subject: Re: dnssec-validation? On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote: > Problem number 1: Dns

Re: dnssec-validation?

On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote: > Problem number 1: Dnssec seems to be running on "di.ubi.pt", but > dnssec-validation still needs to be set to no; Will this cause troubles? > Dns2 is set to auto and runs fine. >From here, di.ubt.pt appears

RE: dnssec-validation?

Hello again. Problem number 1: Dnssec seems to be running on "di.ubi.pt", but dnssec-validation still needs to be set to no; Will this cause troubles? Dns2 is set to auto and runs fine. Problem number 2: How can I avoid the key regeneration (using version 9.16.23) every named resta

RE: dnssec-validation?

D 9.16.23 to prepare for this. They seem to be working fine as previously, running as both recursive and authoritative for di.ubi.pt. DNS2 has still "dnssec-validation auto;" on its /etc/named.conf. I've found out that if I wanted my primary server to start answering my internal requests for outsi

Re: dnssec-validation?

On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users wrote: > After reverting my primary dns configuration, and asking my provider to > remove the DNSKEY, I had to include dnssec-validation no; otherwise it would > keep answering with SERVFAIL > > I not

dnssec-validation?

to parent domain, the test performed by dnssec-analyzer showed everything ok, nevertheless, all queries except those about my.domain were Rejected with SERVFAIL. dig @my.server or dig @localhost My secondary dns server hold everything while testing, and I noticed I had dnssec-validation auto

Use of stale data during dnssec validation

Today, we had a case where one of our resolvers (9.16.37) failed to return an SOA-record for the TLD 'us'. digging with the +cd flag, returned a value, while delving with +vtrace failed: ;; fetch: us/SOA ;; resolution failed: SERVFAIL Fingers pointed to a failure to validate. I dumped the

Re: Finding dnssec validation failures in the logs

dence that I'm > recognizing the important lines in the logs before I start casting stones. > > -- > Do things because you should, not just because you can. > > John Thurston907-465-8591 > john.thurs...@alaska.gov > Department of Administration > State of Alaska >

Re: Finding dnssec validation failures in the logs

907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska On 1/24/2023 5:26 AM, Michael Richardson wrote: John Thurston wrote: > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am > writing "category dnssec" t

Re: Finding dnssec validation failures in the logs

John Thurston wrote: > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am > writing "category dnssec" to a log file  at "severity info;"  When I look in > the resulting log file, I'm guessing that lines like this:

Re: Finding dnssec validation failures in the logs

guess it could mean someone is trying to serve up wrong answers ... Found many lines of 'no valid signature found’ I think you are probably OK. > On Jan 23, 2023, at 7:44 PM, John Thurston wrote: > > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am

Finding dnssec validation failures in the logs

On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am writing "category dnssec" to a log file  at "severity info;"  When I look in the resulting log file, I'm guessing that lines like this: validating com/SOA: got insecure response; parent

Re: DNSSEC validation via AD bit?

On 31. 01. 22 11:50, Tony Finch wrote: 2. Should sendmail not be trusting the AD bit in replies from the admin configured (i.e., trusted by admin) resolvers? It's dangerous territory. Sendmail isn't alone: for example, OpenSSH also relies on the AD bit to validate SSHFP records. But using AD is

Re: DNSSEC validation via AD bit?

Gregory Shapiro via bind-users wrote: > > Two questions: Slightly expanding on Mark's answers... > 1. Is there a reason when BIND is running as both a recursive server and > an authoritative server for a domain, it doesn't set the AD bit when > answering resolver queries for one of its

Re: DNSSEC validation via AD bit?

> On 31 Jan 2022, at 10:45, Gregory Shapiro via bind-users > wrote: > > sendmail's implementation of DANE determines whether DNSSEC validation was > successful based on the presence of the AD bit in the response to the DANE > record lookup. > > An equ

DNSSEC validation via AD bit?

sendmail's implementation of DANE determines whether DNSSEC validation was successful based on the presence of the AD bit in the response to the DANE record lookup. An equivalent dig lookup would be: % dig TLSA _25._tcp.smtp.gshapiro.net. ... ;; Got answer: ;; ->>

Re: AW: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

On 27. 01. 22 16:05, Gehrkens.IT GmbH | Heiko Wundram wrote: Hello Tony, The other things that can cause the behaviour you observed are synth-from- dnssec and qname-minimization. thanks for the heads up concerning synth-from-dnssec; I thought the default was "no", but that seems to have

AW: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

Hello Tony, > The other things that can cause the behaviour you observed are synth-from- > dnssec and qname-minimization. thanks for the heads up concerning synth-from-dnssec; I thought the default was "no", but that seems to have changed somewhere between 9.14 and 9.16... I've just changed that

Re: Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

Gehrkens.IT GmbH | Heiko Wundram wrote: > > From what I gather, this behaviour sounds almost like what RFC 8020 proposes > (NXDOMAIN cut), but at least according to the corresponding ticket, that > isn't implemented in BIND. The other things that can cause the behaviour you observed are

Problems with (unsigned) forward zones, dnssec-validation auto and validate-except on BIND 9.16 and 9.17

the forwarded zones. Generally, this works: in the views that should resolve the internal forwarded zone names, I can resolve them, and BIND also skips DNSsec validation for those zones. Now comes the but: if I resolve a zone name in .lan or .local which is not forwarded I get an NXDOMAIN

Re: How to selectively skip DNSSEC validation?

ward; > forward only; > forwarders { 192.168.0.7; }; > }; > > The options section of the file specifies > > recursion yes; > dnssec-enable yes; > dnssec-validation yes; > > Note that 192.168.0.7 is my local LAN address for my AREDN no

Re: How to selectively skip DNSSEC validation?

; > > zone "10.in-addr.arpa." IN { >type forward; >forward only; >forwarders { 192.168.0.7; }; > }; > > The options section of the file specifies > >recursion yes; >dnssec-enable yes; >dnssec-validation yes;

How to selectively skip DNSSEC validation?

; forwarders { 192.168.0.7; }; }; zone "10.in-addr.arpa." IN { type forward; forward only; forwarders { 192.168.0.7; }; }; The options section of the file specifies recursion yes; dnssec-enable yes; dnssec-validation yes; Note that 192.1

Re: Dnssec-validation auto

resolv.conf has only itself as dns server When using dnssec-validation AUTO, and turning on debug, the following is shown when I nslookup from my PC towards the server. 13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request is not signed 13-Nov-2020 11:09:18.998

Re: Dnssec-validation auto

ed domain. Try debuging salesforce.com. domain verification instead. On 11/13/20 1:59 PM, Ismael Suarez wrote: > With "dnssec-validation AUTO;" I get: > > # delv +cd www.popularsba.com > ;; resolution failed: timed out > > > With "dnssec-validation NO;" I

Re: Dnssec-validation auto

With "dnssec-validation AUTO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out With "dnssec-validation NO;" I get: # delv +cd www.popularsba.com ;; resolution failed: timed out ; unsigned answer www.popularsba.com. 279 IN CNAME

Re: Dnssec-validation auto

.00d1n02kxqqua0.gslb.siteforce.com. 4.0p13m008e6qcaq.00d1n02kxqqua0.gslb.siteforce.com. 102 IN A 161.71.31.253 Cheers, Petr On 11/13/20 5:26 AM, Ismael Suarez wrote: > Hi all > > The following domain (www.popularsba.com) does not resolve with dnssec > validation set to auto, but w

Dnssec-validation auto

Hi all The following domain (www.popularsba.com) does not resolve with dnssec validation set to auto, but when I change the validation off it works. Why is this? How can I check this validation? Using bind 9.12 Thanks to all ___ Please visit https

Re: About DNSSec-Validation=Yes and bind.keys

to include them yourself. Try adding: include "/etc/bind.keys"; to your configuration, if dnssec-validation yes; is used. Best Regards, Petr On 11/12/20 11:18 AM, Onur GURSOY wrote: > Hello Everyone, > I have some trouble about bin9 and dnssec > When i set dnssec-validatio

About DNSSec-Validation=Yes and bind.keys

Hello Everyone, I have some trouble about bin9 and dnssec When i set dnssec-validation to auto. My dns server is talking with google dns server (8.8.8.8 and 8.8.4.4) and when i set to dnssec-validation to yes it couldn't talk with google dns server. i have realized, there is no pre defined

Re: Exempt .local from dnssec validation on resolver?

One may also want to disable synth-from-dnssec to prevent this NSEC record synthesising a negative response. loans. 4070IN NSEClocker. NS DS RRSIG NSEC If named gets a query for a name in the covered range it will learn the NSEC record and will synthesise a negative

Re: Exempt .local from dnssec validation on resolver?

On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote: > In 9.11, no. In 9.14, you can use "validate-except { local; };" (Afterthought: In 9.11, you can also use "rndc nta" to suppress validation on a given domain, but negative trust anchors expire after a while, so you have to keep doing it

Re: Exempt .local from dnssec validation on resolver?

On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote: > Is there any way to tell my resolver it shouldn't be validating > responses for foo.local? In 9.11, no. In 9.14, you can use "validate-except { local; };" -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc.

Exempt .local from dnssec validation on resolver?

no influence or control. The difficulty is if my named.conf contains: dnssec-validation auto; then I'm unable to return records for things like a.foo.local, and my log contains info-messages of the sort: --- lame-servers: info: insecurity proof failed resolving 'foo.local/SOA/IN': 10.1.2.3#53

Re: DNSSEC validation via DLV

via bind-users Sent: Thursday, 18 July 2019 10:22 PM To: m...@posix.co.za; bind-users@lists.isc.org Subject: Re: DNSSEC validation via DLV Not a difficult process really.. -Configure a DNSSEC enabled name server -Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone) -Update

Re: DNSSEC validation via DLV

On 19/07/2019 9:27 am, p...@vspace.co.za wrote: > > Problem being, no options exist as to export the DS record of co.za, com.au > or net.au domains to the respective registrars, being namecheap.com and > axxess.co.za. > Change registry right ? Crazy domains supports them for the ".com.au"

RE: DNSSEC validation via DLV

;> though zones still exists that does not provide a fully signed path >> from root to zone, i.e. .com.au , co.za etc, how would an >> administrator enable / implement DNSSEC validation for these zones ? >> >> >> ___ >

Re: DNSSEC validation via DLV

xists that does not provide a fully signed path >> from root to zone, i.e. .com.au , co.za etc, how would an >> administrator enable / implement DNSSEC validation for these zones ? >> >> >> ___ >> Please visit https://

Re: DNSSEC validation via DLV

SSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation for these z

DNSSEC validation via DLV

With DLV (DNSSEC Lookaside Validation) having been decommissioned, though zones still exists that does not provide a fully signed path from root to zone, i.e. .com.au , co.za etc, how would an administrator enable / implement DNSSEC validation for these zones

Re: dnssec-validation auto vs yes

On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt wrote: > > On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > > The default BIND9 installation for CentOS7 has dnssec-validation set to > > "yes" and it also includes managed-keys as well. Do those

Re: dnssec-validation auto vs yes

Shawn Zhou via bind-users wrote: > Thanks Even. Sounds like "dnssec-validation auto" is a more > future-proof option for what want it. I will use that instead. My recommendation is to avoid configuring or installing root trust anchors, and let named handle all that itse

Re: dnssec-validation auto vs yes

Thanks Even. Sounds like "dnssec-validation auto" is a more future-proof option for what want it. I will use that instead. On Wednesday, June 12, 2019, 5:25:51 PM PDT, Evan Hunt wrote: On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The

Re: dnssec-validation auto vs yes

On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > The default BIND9 installation for CentOS7 has dnssec-validation set to > "yes" and it also includes managed-keys as well. Do those managed-keys > get updated automatically? Yes, if the "

dnssec-validation auto vs yes

Hi, The default BIND9 installation for CentOS7 has dnssec-validation set to "yes" and it also includes managed-keys as well. Do those managed-keys get updated automatically? It is not clear from reading  https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#dnssec-validation

I need you help to separate the DNSSEC validation process

Hi all, I need to setup my lab network to have my recursive DNS server (which runs bind v9.9.5) to be able to make partial DNSSEC validation where the client should be able to make the other half of the validation process. In particular, I need the DNS resolver to be able to validate the root

Re: BIND9.11.4-P1] What happens Combination with dnssec-enable yes; dnssec-validation no; in named.conf

Sunghwan Kim(IBI) wrote: > > I would like to know what happens if dnssec-enable yes; dnssec-validation > no; in named.conf are being setting. > > Does it come SERVFAIL ? No. (But see * below...) `dnssec-enable` is to do with handling of DNSSEC records and query flags: setting

BIND9.11.4-P1] What happens Combination with dnssec-enable yes; dnssec-validation no; in named.conf

Hi All, My running server is BIND-9.11.4-P1. I would like to know what happens if dnssec-enable yes; dnssec-validation no; in named.conf are being setting. Does it come SERVFAIL ? Regards, Sunghwan. -- (주)아이비아이(www.ibi.net) DNS사업부/본부장 02-2165-7234

DNSSEC validation option in BIND 9.10

Hi people, I have two BIND 9.10.3 servers with DNSSEC validation enabled, one in one client and the other in another client. Both BIND have the same configuration lines relative to DNSSEC validation: dnssec-validation auto; dnssec-enable yes; and both has the current and future key in bind.keys

Re: DNSSEC validation

s? I assume the validation is > > already done at the recursive resolver. > > The resolver doesn't have to do DNSSEC validation itself (though of course > it's a good idea). It just needs to pass along signatures on request. If > you're using a resolver that doesn't do that... we

Re: DNSSEC validation

the signatures? I assume the validation is > already done at the recursive resolver. The resolver doesn't have to do DNSSEC validation itself (though of course it's a good idea). It just needs to pass along signatures on request. If you're using a resolver that doesn't do that... well, use a di

Re: DNSSEC validation

Thanks Warren. I will look into https://getdnsapi.net/ . Rgds simon On Tue, Feb 13, 2018 at 2:07 PM, Warren Kumari wrote: > On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > > Hello Evan, > > > > Thank you so much for the quick response. > > > >

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > Hello Evan, > > Thank you so much for the quick response. > > My requirement is to implement only the recursive resolve and validation > part of the DNSSEC in my client application. Our CPU and memory are very > limited.

Re: DNSSEC validation

gt; Implementing a full resolver with a library is possible in BIND 9.12, > in which we spun off a lot of the name server code into a new libns > library. I can't point you to any sample code other than named itself, > though. > > Given what you said about limited CPU and memory, I can't

Re: DNSSEC validation

ther solution. I'd probably just use dnsmasq and turn on its DNSSEC validation option. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-

Re: DNSSEC validation

Hello Evan, Thank you so much for the quick response. My requirement is to implement only the recursive resolve and validation part of the DNSSEC in my client application. Our CPU and memory are very limited. So I am not sure I can go and use BIND 9. With BIND 9, can I integrate the library in

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote: > I am trying to implement the full recursive resolver with libbind library > in my client code. I am not using resolv.conf in my implementation. Can > anyone please help to point any sample code for this. Not even BIND uses libbind

DNSSEC validation

Hello, I am trying to implement the full recursive resolver with libbind library in my client code. I am not using resolv.conf in my implementation. Can anyone please help to point any sample code for this. Thank you for your help and time. Rgds simon

Re: DNSSEC validation without current time

are unsigned now, so that would work anyway. If I want spoof protection, what should I do? Do two passes. First: Use DNS without DNSSEC validation to obtain a list of NTP servers, and thereby determine the current time. Second: Use DNS with DNSSEC to obtain a list of (trusted) NTP servers

Re: DNSSEC validation without current time

>>> be used in default installation image without manual configuration? And >>> how does it resolve that name, when date of the system is 1970-1-1 or >>> something a only a bit more accurate? >>> >>> Current pool.ntp.org adresses are unsigned now, so that would work &g

Re: Re: DNSSEC validation without current time

te of the system is 1970-1-1 or >> something a only a bit more accurate? >> >> Current pool.ntp.org adresses are unsigned now, so that would work >> anyway. If I want spoof protection, what should I do? > > Do two passes. First: Use DNS without DNSSEC validation

Re: DNSSEC validation without current time

do? Do two passes. First: Use DNS without DNSSEC validation to obtain a list of NTP servers, and thereby determine the current time. Second: Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and verify the time. The second pass might detect the list of IPs has changed and bypass

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Barry Margolin wrote: In article , "G.W. Haywood" wrote: On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? I think the

Re: DNSSEC validation without current time

On 12/15/2017 08:10 AM, Timothe Litt wrote: I use an 19xLVC too (On Raspbian == Debian).  But I also have an RTC. GPS does have outages,  can take a while to get a fix, and NTP wants consensus.  So I use my GPS receiver as a local clock source (preferred), but also configure several servers

Re: DNSSEC validation without current time

In article , "G.W. Haywood" wrote: > Hi there, > > On Fri, 15 Dec 2017, Petr Men??k wrote: > > > ... current time is not available or can be inaccurate. > > ntpdate? I think the issue is that he needs to resolve

Re: Re: DNSSEC validation without current time

mpile a kernel that's configured > appropriately, I feel the clock can be synchronized to about 1us > accuracy. > > It is more or less reliable and value for $70 if one wants UTC on their > computer without accessing the internet. This is more than sufficient > for DNSSEC validatio

Re: DNSSEC validation without current time

On 15-Dec-17 06:45, Petr Menšík wrote: > Hi folks. > > I am looking for a way to validate name also on systems, where current > time is not available or can be inaccurate. > > This is related to booting with NTP client, when the only configuration > is hostname that has to be resolved. There is a

Re: DNSSEC validation without current time

Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a): > Hi there, > > On Fri, 15 Dec 2017, Petr Men??k wrote: > >> ... current time is not available or can be inaccurate. > > ntpdate? > Sure, of course. What would be default host after installation, that can be used in default

Re: DNSSEC validation without current time

Petr Menšík wrote: > > This is related to booting with NTP client, when the only configuration > is hostname that has to be resolved. There is a bit circle dependencies. Yes awkward, and there still aren't any convincing answers. One of the more interesting projects is

Re: DNSSEC validation without current time

It is more or less reliable and value for $70 if one wants UTC on their computer without accessing the internet. This is more than sufficient for DNSSEC validation and many other network services, and certainly more accurate than using the ntp.org pools.

Re: DNSSEC validation without current time

Hi there, On Fri, 15 Dec 2017, Petr Men??k wrote: ... current time is not available or can be inaccurate. ntpdate? -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing

DNSSEC validation without current time

Hi folks. I am looking for a way to validate name also on systems, where current time is not available or can be inaccurate. This is related to booting with NTP client, when the only configuration is hostname that has to be resolved. There is a bit circle dependencies. First current time is

Re: dnssec validation issue

Hi Mukund > Are you able to reproduce the bug with the latest stock version of BIND > 9.9? 9.9.4 is very old and that branch has had numerous bugfixes since. > I'm not able to reproduce such a validation failure with 9.9.11: At the moment the latest patched version of bind available for

Re: dnssec validation issue

Hi Ganga On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote: > With dnssec-validation turned on, resolving sites like www.icann.org > <http://www.icann.org/> fails. The alternative is to remove validation > which of course is not the desired solution. Are you ab

Re: dnssec validation issue

On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote a message of 677 lines which said: > # dig @localhost www.icann.org A +dnssec When you suspect a DNSSEC issue, always retry dig with +cd (Checking Disabled). And post the result.

Re: dnssec validation issue

Ganga R. Dhungyel <grdhung...@gmail.com> wrote: > > **debug log > > 23-Aug-2017 16:17:57.567 dnssec: debug 3: > validating @0x7f3ffc96e4d0: www.vip.icann.org A: > attempting insecurity proof > > With dnssec-validation turned on, resolving sites like

dnssec validation issue

t; }; allow-query-cache {localhost; my-net; }; flush-zones-on-shutdown yes; version "UNNECESSARY"; dnssec-enable yes; dnssec-validation auto; ## tried with yes but no difference random-device "/dev/urandom"; managed-keys-directory &

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 15:07, Evan Hunt wrote: On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: On 10/12/16 13:36, Evan Hunt wrote: I recommend using "delv" instead. "dig +sigchase" isn't good code. ? well that is news to me :-\ It's code that was contributed over ten years ago; we

Re: dnssec-validation [ ddig_sigchase option ]

On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote: > On 10/12/16 13:36, Evan Hunt wrote: > > I recommend using "delv" instead. "dig +sigchase" isn't good code. > > ? well that is news to me :-\ It's code that was contributed over ten years ago; we put it into dig (hidden behind

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 13:36, Evan Hunt wrote: On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote: Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" I recommend using "delv" instea

Re: dnssec-validation [ ddig_sigchase option ]

On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote: > Was trying to run dig commands to do some dnssec validation and got the > following message " > > "Invalid option: +sigchase" I recommend using "delv" instead. "dig

Re: dnssec-validation [ ddig_sigchase option ]

On 10/12/16 11:40, Bhangui, Sandeep - BLS CTR wrote: Hi Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3. Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" When checked found that the

dnssec-validation [ ddig_sigchase option ]

Hi Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3. Was trying to run dig commands to do some dnssec validation and got the following message " "Invalid option: +sigchase" When checked found that the dig utility has to be compiled with "-DDIG_SIGCHASE" o

Re: Is BIND9 DNSSEC validation too strict?

Daniel Stirnimann wrote: > > BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing > to validate the following non-existent domain name: > > dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec > > I believe, the reason for the validation error

Is BIND9 DNSSEC validation too strict?

Dear all, BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing to validate the following non-existent domain name: dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec ; <<>> DiG 9.8.3-P1 <<>> @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec ; (1 server found) ;;

Re: DNSSEC validation failures for www.hrsa.gov

In message , Jay Ford writes: > On Sat, 25 Jun 2016, Mark Andrews wrote: > > The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. > > They are returning FORMERR to queries with EDNS options. Unknown > > EDNS options

Re: Re: DNSSEC validation failures for www.hrsa.gov

On 24-Jun-16 22:13, Jay Ford wrote: > On Sat, 25 Jun 2016, Mark Andrews wrote: >> The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. >> They are returning FORMERR to queries with EDNS options. Unknown >> EDNS options are supposed to be ignored (RFC 6891). >> >> You can

  1   2   3   >