Thanks Mark. It's right there in the log.
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users
Named will tell you which DNSSEC algorithms it supports. Depending upon the OS
and its configuration this may differ.
DNSSEC algorithms: RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519
ED448
vs
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256
Would this be true for FreeBSD as well? I also have a bind 9.18.24
instance running on freeBSD
and it seems to be ok.
Bob
> The crypto policy stuff ultimately creates and maintains files in
/etc/crypto-policy/backends, which has a list of acceptable or
not-acceptable crypto settings.
> Whilst
From: bind-users on behalf of John Thurston
Date: Thursday, 18 April 2024 at 06:39
To: "bind-users@lists.isc.org"
Subject: Re: Answers for www.dnssec-failed.org with dnssec-validation auto;
Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock
had fallen on my h
Arrgh. You are correct. I was so far down in the weeds, I didn't notice
a rock had fallen on my head.
I know I can re-enable SHA1 for everything on the host with:
update-crypto-policies --set DEFAULT:SHA1
But that's a fairly broad stroke, when only 'named' needs to accept such
signatures. Is
My bind 9.18.24 server runs under Debian.
When I query with dig it appears to take long enough to resolve that it
goes to the next DNS server in the client's IP stack. The secondary server
in my list is quad9. It seems to resolve correctly. If I point to the
address of my Debian server, it works
testPrimary-key";
};
};
options {
directory "/var/opt/testPrimary/named/data";
dump-file "cache_dump.db";
listen-on port 1053 {
127.0.0.1/32;
};
querylo
he_dump.db";
listen-on port 1053 {
127.0.0.1/32;
};
querylog yes;
dnssec-validation auto;
empty-zones-enable no;
recursion yes;
};
key "ns88-testPrimary-key" {
algorithm "hmac-sha256";
secret "
On 17/04/2024 11:41, John Thurston wrote:
I'm seeing strange behavior with a BIND 9.18.24 resolver and
dnssec-failed.org.
With no dnssec-validation line (or with "dnssec-validation auto") in
the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as
expected . . until
I'm seeing strange behavior with a BIND 9.18.24 resolver and
dnssec-failed.org.
With no dnssec-validation line (or with "dnssec-validation auto") in the
.conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected
. . until it doesn't. After several seconds of answering S
Hello. I just want to say everything seems to be working on my domain, and my
primary dns server already performs validation
Dnssec-validation is set to auto, like on the secondary dns, and it's working.
When I perform
Dig @dns www.dnssec-failed.org it already returns SERVFAIL and the rest seems
named.conf on the primary and secondary server to
find why dnssec-validation needs to be off on the primary.
Thanks!
David
-Original Message-
From: Mark Andrews
Sent: 14 April 2023 02:35
To: David Carvalho
Cc: Evan Hunt ; bind-users@lists.isc.org
Subject: Re: dnssec-validation?
r my
> domain.
>
> A few months ago I updated both dns servers to Oracle Linux 8, running BIND
> 9.16.23 to prepare for this.
> They seem to be working fine as previously, running as both recursive and
> authoritative for di.ubi.pt.
>
> DNS2 has still "dnssec-validation a
and reload, I would stick with this version.
Regards
David
-Original Message-
From: Evan Hunt
Sent: 13 April 2023 18:08
To: David Carvalho
Cc: bind-users@lists.isc.org
Subject: Re: dnssec-validation?
On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote:
> Problem number 1: Dns
On Thu, Apr 13, 2023 at 11:38:15AM +0100, David Carvalho wrote:
> Problem number 1: Dnssec seems to be running on "di.ubi.pt", but
> dnssec-validation still needs to be set to no; Will this cause troubles?
> Dns2 is set to auto and runs fine.
>From here, di.ubt.pt appears
Hello again.
Problem number 1: Dnssec seems to be running on "di.ubi.pt", but
dnssec-validation still needs to be set to no; Will this cause troubles?
Dns2 is set to auto and runs fine.
Problem number 2: How can I avoid the key regeneration (using version
9.16.23) every named resta
D
9.16.23 to prepare for this.
They seem to be working fine as previously, running as both recursive and
authoritative for di.ubi.pt.
DNS2 has still "dnssec-validation auto;" on its /etc/named.conf.
I've found out that if I wanted my primary server to start answering my
internal requests for outsi
On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users wrote:
> After reverting my primary dns configuration, and asking my provider to
> remove the DNSKEY, I had to include dnssec-validation no; otherwise it would
> keep answering with SERVFAIL
>
> I not
to parent domain, the test performed by
dnssec-analyzer showed everything ok, nevertheless, all queries except those
about my.domain were
Rejected with SERVFAIL.
dig @my.server or dig @localhost
My secondary dns server hold everything while testing, and I noticed I had
dnssec-validation auto
Today, we had a case where one of our resolvers (9.16.37) failed to
return an SOA-record for the TLD 'us'. digging with the +cd flag,
returned a value, while delving with +vtrace failed:
;; fetch: us/SOA
;; resolution failed: SERVFAIL
Fingers pointed to a failure to validate. I dumped the
dence that I'm
> recognizing the important lines in the logs before I start casting stones.
>
> --
> Do things because you should, not just because you can.
>
> John Thurston907-465-8591
> john.thurs...@alaska.gov
> Department of Administration
> State of Alaska
>
907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 1/24/2023 5:26 AM, Michael Richardson wrote:
John Thurston wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I
am
> writing "category dnssec" t
John Thurston wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file at "severity info;" When I look
in
> the resulting log file, I'm guessing that lines like this:
guess it could
mean someone is trying to serve up wrong answers ...
Found many lines of 'no valid signature found’
I think you are probably OK.
> On Jan 23, 2023, at 7:44 PM, John Thurston wrote:
>
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I
am writing "category dnssec" to a log file at "severity info;" When I
look in the resulting log file, I'm guessing that lines like this:
validating com/SOA: got insecure response; parent
On 31. 01. 22 11:50, Tony Finch wrote:
2. Should sendmail not be trusting the AD bit in replies from the admin
configured (i.e., trusted by admin) resolvers?
It's dangerous territory. Sendmail isn't alone: for example, OpenSSH also
relies on the AD bit to validate SSHFP records. But using AD is
Gregory Shapiro via bind-users wrote:
>
> Two questions:
Slightly expanding on Mark's answers...
> 1. Is there a reason when BIND is running as both a recursive server and
> an authoritative server for a domain, it doesn't set the AD bit when
> answering resolver queries for one of its
> On 31 Jan 2022, at 10:45, Gregory Shapiro via bind-users
> wrote:
>
> sendmail's implementation of DANE determines whether DNSSEC validation was
> successful based on the presence of the AD bit in the response to the DANE
> record lookup.
>
> An equ
sendmail's implementation of DANE determines whether DNSSEC validation was
successful based on the presence of the AD bit in the response to the DANE
record lookup.
An equivalent dig lookup would be:
% dig TLSA _25._tcp.smtp.gshapiro.net.
...
;; Got answer:
;; ->>
On 27. 01. 22 16:05, Gehrkens.IT GmbH | Heiko Wundram wrote:
Hello Tony,
The other things that can cause the behaviour you observed are synth-from-
dnssec and qname-minimization.
thanks for the heads up concerning synth-from-dnssec; I thought the default
was "no", but that seems to have
Hello Tony,
> The other things that can cause the behaviour you observed are synth-from-
> dnssec and qname-minimization.
thanks for the heads up concerning synth-from-dnssec; I thought the default
was "no", but that seems to have changed somewhere between 9.14 and 9.16...
I've just changed that
Gehrkens.IT GmbH | Heiko Wundram wrote:
>
> From what I gather, this behaviour sounds almost like what RFC 8020 proposes
> (NXDOMAIN cut), but at least according to the corresponding ticket, that
> isn't implemented in BIND.
The other things that can cause the behaviour you observed are
the forwarded zones.
Generally, this works: in the views that should resolve the internal
forwarded zone names, I can resolve them, and BIND also skips DNSsec
validation for those zones. Now comes the but: if I resolve a zone name in
.lan or .local which is not forwarded I get an NXDOMAIN
ward;
> forward only;
> forwarders { 192.168.0.7; };
> };
>
> The options section of the file specifies
>
> recursion yes;
> dnssec-enable yes;
> dnssec-validation yes;
>
> Note that 192.168.0.7 is my local LAN address for my AREDN no
;
>
> zone "10.in-addr.arpa." IN {
>type forward;
>forward only;
>forwarders { 192.168.0.7; };
> };
>
> The options section of the file specifies
>
>recursion yes;
>dnssec-enable yes;
>dnssec-validation yes;
;
forwarders { 192.168.0.7; };
};
zone "10.in-addr.arpa." IN {
type forward;
forward only;
forwarders { 192.168.0.7; };
};
The options section of the file specifies
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
Note that 192.1
resolv.conf has only itself as dns server
When using dnssec-validation AUTO, and turning on debug, the following is shown
when I nslookup from my PC towards the server.
13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request
is not signed
13-Nov-2020 11:09:18.998
ed
domain. Try debuging salesforce.com. domain verification instead.
On 11/13/20 1:59 PM, Ismael Suarez wrote:
> With "dnssec-validation AUTO;" I get:
>
> # delv +cd www.popularsba.com
> ;; resolution failed: timed out
>
>
> With "dnssec-validation NO;" I
With "dnssec-validation AUTO;" I get:
# delv +cd www.popularsba.com
;; resolution failed: timed out
With "dnssec-validation NO;" I get:
# delv +cd www.popularsba.com
;; resolution failed: timed out
; unsigned answer
www.popularsba.com. 279 IN CNAME
.00d1n02kxqqua0.gslb.siteforce.com.
4.0p13m008e6qcaq.00d1n02kxqqua0.gslb.siteforce.com. 102 IN A
161.71.31.253
Cheers,
Petr
On 11/13/20 5:26 AM, Ismael Suarez wrote:
> Hi all
>
> The following domain (www.popularsba.com) does not resolve with dnssec
> validation set to auto, but w
Hi all
The following domain (www.popularsba.com) does not resolve with dnssec
validation set to auto, but when I change the validation off it works.
Why is this? How can I check this validation?
Using bind 9.12
Thanks to all
___
Please visit https
to include them yourself.
Try adding:
include "/etc/bind.keys";
to your configuration, if dnssec-validation yes; is used.
Best Regards,
Petr
On 11/12/20 11:18 AM, Onur GURSOY wrote:
> Hello Everyone,
> I have some trouble about bin9 and dnssec
> When i set dnssec-validatio
Hello Everyone,
I have some trouble about bin9 and dnssec
When i set dnssec-validation to auto.
My dns server is talking with google dns server (8.8.8.8 and 8.8.4.4)
and
when i set to dnssec-validation to yes
it couldn't talk with google dns server.
i have realized, there is no pre defined
One may also want to disable synth-from-dnssec to prevent this NSEC record
synthesising a negative response.
loans. 4070IN NSEClocker. NS DS RRSIG NSEC
If named gets a query for a name in the covered range it will learn the
NSEC record and will synthesise a negative
On Thu, Jul 25, 2019 at 09:03:26PM +, Evan Hunt wrote:
> In 9.11, no. In 9.14, you can use "validate-except { local; };"
(Afterthought: In 9.11, you can also use "rndc nta" to suppress validation
on a given domain, but negative trust anchors expire after a while, so you
have to keep doing it
On Thu, Jul 25, 2019 at 12:52:18PM -0800, John Thurston wrote:
> Is there any way to tell my resolver it shouldn't be validating
> responses for foo.local?
In 9.11, no. In 9.14, you can use "validate-except { local; };"
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
no influence or control. The difficulty is if my named.conf contains:
dnssec-validation auto;
then I'm unable to return records for things like a.foo.local, and my
log contains info-messages of the sort:
---
lame-servers: info: insecurity proof failed resolving
'foo.local/SOA/IN': 10.1.2.3#53
via
bind-users
Sent: Thursday, 18 July 2019 10:22 PM
To: m...@posix.co.za; bind-users@lists.isc.org
Subject: Re: DNSSEC validation via DLV
Not a difficult process really..
-Configure a DNSSEC enabled name server
-Create a some zone keys (dnssec-keygen) -Sign your zone (dnssec-signzone)
-Update
On 19/07/2019 9:27 am, p...@vspace.co.za wrote:
>
> Problem being, no options exist as to export the DS record of co.za, com.au
> or net.au domains to the respective registrars, being namecheap.com and
> axxess.co.za.
>
Change registry right ?
Crazy domains supports them for the ".com.au"
;> though zones still exists that does not provide a fully signed path
>> from root to zone, i.e. .com.au , co.za etc, how would an
>> administrator enable / implement DNSSEC validation for these zones ?
>>
>>
>> ___
>
xists that does not provide a fully signed path
>> from root to zone, i.e. .com.au , co.za etc, how would an
>> administrator enable / implement DNSSEC validation for these zones ?
>>
>>
>> ___
>> Please visit https://
SSEC Lookaside Validation) having been decommissioned,
though zones still exists that does not provide a fully signed path
from root to zone, i.e. .com.au , co.za etc, how would an
administrator enable / implement DNSSEC validation for these z
With DLV (DNSSEC Lookaside Validation) having been decommissioned, though
zones still exists that does not provide a fully signed path from root to
zone, i.e. .com.au , co.za etc, how would an administrator enable /
implement DNSSEC validation for these zones
On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt wrote:
>
> On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote:
> > The default BIND9 installation for CentOS7 has dnssec-validation set to
> > "yes" and it also includes managed-keys as well. Do those
Shawn Zhou via bind-users wrote:
> Thanks Even. Sounds like "dnssec-validation auto" is a more
> future-proof option for what want it. I will use that instead.
My recommendation is to avoid configuring or installing root trust
anchors, and let named handle all that itse
Thanks Even. Sounds like "dnssec-validation auto" is a more future-proof
option for what want it. I will use that instead.
On Wednesday, June 12, 2019, 5:25:51 PM PDT, Evan Hunt
wrote:
On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote:
> The
On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote:
> The default BIND9 installation for CentOS7 has dnssec-validation set to
> "yes" and it also includes managed-keys as well. Do those managed-keys
> get updated automatically?
Yes, if the "
Hi,
The default BIND9 installation for CentOS7 has dnssec-validation set to "yes"
and it also includes managed-keys as well. Do those managed-keys get updated
automatically? It is not clear from reading
https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#dnssec-validation
Hi all,
I need to setup my lab network to have my recursive DNS server (which runs bind
v9.9.5) to be able to make partial DNSSEC validation where the client should be
able to make the other half of the validation process. In particular, I need
the DNS resolver to be able to validate the root
Sunghwan Kim(IBI) wrote:
>
> I would like to know what happens if dnssec-enable yes; dnssec-validation
> no; in named.conf are being setting.
>
> Does it come SERVFAIL ?
No. (But see * below...)
`dnssec-enable` is to do with handling of DNSSEC records and query flags:
setting
Hi All,
My running server is BIND-9.11.4-P1.
I would like to know what happens if dnssec-enable yes; dnssec-validation
no; in named.conf are being setting.
Does it come SERVFAIL ?
Regards,
Sunghwan.
--
(주)아이비아이(www.ibi.net)
DNS사업부/본부장
02-2165-7234
Hi people, I have two BIND 9.10.3 servers with DNSSEC validation enabled,
one in one client and the other in another client.
Both BIND have the same configuration lines relative to DNSSEC validation:
dnssec-validation auto;
dnssec-enable yes;
and both has the current and future key in bind.keys
s? I assume the validation is
> > already done at the recursive resolver.
>
> The resolver doesn't have to do DNSSEC validation itself (though of course
> it's a good idea). It just needs to pass along signatures on request. If
> you're using a resolver that doesn't do that... we
the signatures? I assume the validation is
> already done at the recursive resolver.
The resolver doesn't have to do DNSSEC validation itself (though of course
it's a good idea). It just needs to pass along signatures on request. If
you're using a resolver that doesn't do that... well, use a di
Thanks Warren. I will look into https://getdnsapi.net/ .
Rgds
simon
On Tue, Feb 13, 2018 at 2:07 PM, Warren Kumari wrote:
> On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote:
> > Hello Evan,
> >
> > Thank you so much for the quick response.
> >
> >
On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote:
> Hello Evan,
>
> Thank you so much for the quick response.
>
> My requirement is to implement only the recursive resolve and validation
> part of the DNSSEC in my client application. Our CPU and memory are very
> limited.
gt; Implementing a full resolver with a library is possible in BIND 9.12,
> in which we spun off a lot of the name server code into a new libns
> library. I can't point you to any sample code other than named itself,
> though.
>
> Given what you said about limited CPU and memory, I can't
ther solution. I'd probably just use dnsmasq and turn on its DNSSEC
validation option.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-
Hello Evan,
Thank you so much for the quick response.
My requirement is to implement only the recursive resolve and validation
part of the DNSSEC in my client application. Our CPU and memory are very
limited. So I am not sure I can go and use BIND 9.
With BIND 9, can I integrate the library in
On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote:
> I am trying to implement the full recursive resolver with libbind library
> in my client code. I am not using resolv.conf in my implementation. Can
> anyone please help to point any sample code for this.
Not even BIND uses libbind
Hello,
I am trying to implement the full recursive resolver with libbind library
in my client code. I am not using resolv.conf in my implementation. Can
anyone please help to point any sample code for this.
Thank you for your help and time.
Rgds
simon
are unsigned now, so that would work
anyway. If I want spoof protection, what should I do?
Do two passes. First: Use DNS without DNSSEC validation to obtain a
list of NTP servers, and thereby determine the current time. Second:
Use DNS with DNSSEC to obtain a list of (trusted) NTP servers
>>> be used in default installation image without manual configuration? And
>>> how does it resolve that name, when date of the system is 1970-1-1 or
>>> something a only a bit more accurate?
>>>
>>> Current pool.ntp.org adresses are unsigned now, so that would work
&g
te of the system is 1970-1-1 or
>> something a only a bit more accurate?
>>
>> Current pool.ntp.org adresses are unsigned now, so that would work
>> anyway. If I want spoof protection, what should I do?
>
> Do two passes. First: Use DNS without DNSSEC validation
do?
Do two passes. First: Use DNS without DNSSEC validation to obtain a list
of NTP servers, and thereby determine the current time. Second: Use DNS
with DNSSEC to obtain a list of (trusted) NTP servers, and verify the time.
The second pass might detect the list of IPs has changed and bypass
Hi there,
On Fri, 15 Dec 2017, Barry Margolin wrote:
In article ,
"G.W. Haywood" wrote:
On Fri, 15 Dec 2017, Petr Men??k wrote:
... current time is not available or can be inaccurate.
ntpdate?
I think the
On 12/15/2017 08:10 AM, Timothe Litt wrote:
I use an 19xLVC too (On Raspbian == Debian). But I also have an RTC.
GPS does have outages, can take a while to get a fix, and NTP wants
consensus. So I use my GPS receiver as a local clock source
(preferred), but also configure several servers
In article ,
"G.W. Haywood" wrote:
> Hi there,
>
> On Fri, 15 Dec 2017, Petr Men??k wrote:
>
> > ... current time is not available or can be inaccurate.
>
> ntpdate?
I think the issue is that he needs to resolve
mpile a kernel that's configured
> appropriately, I feel the clock can be synchronized to about 1us
> accuracy.
>
> It is more or less reliable and value for $70 if one wants UTC on their
> computer without accessing the internet. This is more than sufficient
> for DNSSEC validatio
On 15-Dec-17 06:45, Petr Menšík wrote:
> Hi folks.
>
> I am looking for a way to validate name also on systems, where current
> time is not available or can be inaccurate.
>
> This is related to booting with NTP client, when the only configuration
> is hostname that has to be resolved. There is a
Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
> Hi there,
>
> On Fri, 15 Dec 2017, Petr Men??k wrote:
>
>> ... current time is not available or can be inaccurate.
>
> ntpdate?
>
Sure, of course. What would be default host after installation, that can
be used in default
Petr Menšík wrote:
>
> This is related to booting with NTP client, when the only configuration
> is hostname that has to be resolved. There is a bit circle dependencies.
Yes awkward, and there still aren't any convincing answers. One of the
more interesting projects is
It is more or less reliable and value for $70 if one wants UTC on their
computer without accessing the internet. This is more than sufficient
for DNSSEC validation and many other network services, and certainly
more accurate than using the ntp.org pools.
Hi there,
On Fri, 15 Dec 2017, Petr Men??k wrote:
... current time is not available or can be inaccurate.
ntpdate?
--
73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
Hi folks.
I am looking for a way to validate name also on systems, where current
time is not available or can be inaccurate.
This is related to booting with NTP client, when the only configuration
is hostname that has to be resolved. There is a bit circle dependencies.
First current time is
Hi Mukund
> Are you able to reproduce the bug with the latest stock version of BIND
> 9.9? 9.9.4 is very old and that branch has had numerous bugfixes since.
> I'm not able to reproduce such a validation failure with 9.9.11:
At the moment the latest patched version of bind available for
Hi Ganga
On Thu, Aug 24, 2017 at 09:33:32AM +0600, Ganga R. Dhungyel wrote:
> With dnssec-validation turned on, resolving sites like www.icann.org
> <http://www.icann.org/> fails. The alternative is to remove validation
> which of course is not the desired solution.
Are you ab
On Thu, Aug 24, 2017 at 09:33:32AM +0600,
Ganga R. Dhungyel wrote
a message of 677 lines which said:
> # dig @localhost www.icann.org A +dnssec
When you suspect a DNSSEC issue, always retry dig with +cd (Checking
Disabled). And post the result.
Ganga R. Dhungyel <grdhung...@gmail.com> wrote:
>
> **debug log
>
> 23-Aug-2017 16:17:57.567 dnssec: debug 3:
> validating @0x7f3ffc96e4d0: www.vip.icann.org A:
> attempting insecurity proof
>
> With dnssec-validation turned on, resolving sites like
t; };
allow-query-cache {localhost; my-net; };
flush-zones-on-shutdown yes;
version "UNNECESSARY";
dnssec-enable yes;
dnssec-validation auto; ## tried with yes but no difference
random-device "/dev/urandom";
managed-keys-directory &
On 10/12/16 15:07, Evan Hunt wrote:
On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote:
On 10/12/16 13:36, Evan Hunt wrote:
I recommend using "delv" instead. "dig +sigchase" isn't good code.
? well that is news to me :-\
It's code that was contributed over ten years ago; we
On Wed, Oct 12, 2016 at 01:56:09PM -0400, Dennis Clarke wrote:
> On 10/12/16 13:36, Evan Hunt wrote:
> > I recommend using "delv" instead. "dig +sigchase" isn't good code.
>
> ? well that is news to me :-\
It's code that was contributed over ten years ago; we put it into dig
(hidden behind
On 10/12/16 13:36, Evan Hunt wrote:
On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote:
Was trying to run dig commands to do some dnssec validation and got the following
message "
"Invalid option: +sigchase"
I recommend using "delv" instea
On Wed, Oct 12, 2016 at 03:40:54PM +, Bhangui, Sandeep - BLS CTR wrote:
> Was trying to run dig commands to do some dnssec validation and got the
> following message "
>
> "Invalid option: +sigchase"
I recommend using "delv" instead. "dig
On 10/12/16 11:40, Bhangui, Sandeep - BLS CTR wrote:
Hi
Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3.
Was trying to run dig commands to do some dnssec validation and got the following
message "
"Invalid option: +sigchase"
When checked found that the
Hi
Running ISC Bind 9.10.4-P2 will be soon moving to 9.10.4-P3.
Was trying to run dig commands to do some dnssec validation and got the
following message "
"Invalid option: +sigchase"
When checked found that the dig utility has to be compiled with
"-DDIG_SIGCHASE" o
Daniel Stirnimann wrote:
>
> BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing
> to validate the following non-existent domain name:
>
> dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec
>
> I believe, the reason for the validation error
Dear all,
BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing
to validate the following non-existent domain name:
dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec
; <<>> DiG 9.8.3-P1 <<>> @184.105.193.73 ABCD._openpgpkey.posteo.de A
+dnssec
; (1 server found)
;;
In message , Jay
Ford writes:
> On Sat, 25 Jun 2016, Mark Andrews wrote:
> > The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant.
> > They are returning FORMERR to queries with EDNS options. Unknown
> > EDNS options
On 24-Jun-16 22:13, Jay Ford wrote:
> On Sat, 25 Jun 2016, Mark Andrews wrote:
>> The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant.
>> They are returning FORMERR to queries with EDNS options. Unknown
>> EDNS options are supposed to be ignored (RFC 6891).
>>
>> You can
1 - 100 of 206 matches
Mail list logo