Matus UHLAR - fantomas wrote:
>
> and in case of private/internal domain even logical - it's not useful to
> push DS records to parent, and even possible with 2 versions of the same
> zone.
You can have a secure delegation in the parent if you sign both versions
of the zone
On 08.02.18 19:12, Mark Andrews wrote:
You break a chain of trust by proving there is a insecure delegation.
that should be expected :-)
and in case of private/internal domain even logical - it's not useful to
push DS records to parent, and even possible with 2 versions of the same
zone.
You break a chain of trust by proving there is a insecure delegation.
NXDOMAIN is not a delegation.
The point on OPTOUT is to allow the parent zone to add and remove
insecure delegations without resigning.
Mark
> On 7 Feb 2018, at 11:26 pm, Tony Finch wrote:
>
> Pruned debug
Thankyou,
Am 2018-02-08 hackte Warren Kumari in die Tasten:
> On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote:
>> Michelle Konzack wrote:
>>
>>> If someone is interested making a slave for me, I can do
>>> the same with him/her/whatelse.
>>
>> I'm
On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote:
> Michelle Konzack wrote:
>
>> If someone is interested making a slave for me, I can do
>> the same with him/her/whatelse.
>
> I'm cheap, so for my personal domains I use free secondaries from
>
Guten Abend,
Am 2018-02-07 hackte Reindl Harald in die Tasten:
> Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas:
>> neither is possible for now. as I said, neither our customer not
>> itsupstream does maintain the domain.
>
> i will point at that case when someone asks why i insist of be
Am 07.02.2018 um 18:38 schrieb Matus UHLAR - fantomas:
neither is possible for now. as I said, neither our customer not
itsupstream does maintain the domain.
i will point at that case when someone asks why i insist of be registrar
as well as dns-provider for anything i have to deal with it
Matus UHLAR - fantomas wrote:
I wonder why does it do that. I have configured a zone to be type
forward and expected it to work as confdigured, not be validated
upstream.
On 07.02.18 14:14, Tony Finch wrote:
Validation is mostly independent of resolution, so even if you
Matus UHLAR - fantomas wrote:
>
> I wonder why does it do that. I have configured a zone to be type
> forward and expected it to work as confdigured, not be validated
> upstream.
Validation is mostly independent of resolution, so even if you configure a
zone explicitly, the
to
the registrator.
I currently see the only option to disable dnssec on the server, or upgrade
to 9.11 ...
but I'll upgrade the server to debian 8 (bind9.9.5) first.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address
Hi there,
On Wed, 7 Feb 2018, Michelle Konzack wrote:
... Note: If someone is interested making a slave for me ...
Is there a reason you don't use e.g. he.net?
https://dns.he.net/
They do say of DNSSEC that they are "exploring this now" but it seems
to work for me.
--
73,
Ged.
Michelle Konzack wrote:
> If someone is interested making a slave for me, I can do
> the same with him/her/whatelse.
I'm cheap, so for my personal domains I use free secondaries from
https://puck.nether.net/dns/ and https://admin.gratisdns.com/
Tony.
--
Ahoi Matus,
Am 2018-02-07 hackte Matus UHLAR - fantomas in die Tasten:
> yes. even web whois shows no 'nameserver' information.
>
> the name is "testa.eu".
Oi, the owner is the European Commission!
It seems, they have the privileg,
not to attribute Name Server to the domain.
A normal
Pruned debug logs...
validating testa.eu/DS: looking for closest encloser
validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA indicates
potential closest encloser: 'eu'
validating testa.eu/DS: NSEC3 QBQ65Q6097OCPPR0EUCQNSC1FHE073UA at super-domain
eu
validating testa.eu/DS: NSEC3
Matus UHLAR - fantomas wrote:
>
> the name is "testa.eu".
OK, let's dig it (trimmed for relevance):
; <<>> DiG 9.13.0-dev <<>> +multiline +dnssec testa.eu
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39666
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8,
Thanks for providing the domain name in question (testa.eu).
Indeed, port 43 whois shows no nameservers - neither does the web based
whois on whois.eurid.eu, though the name does exist in the 'eu' registry
system.
Dig gives me nothing either...
$ dig testa.eu ns +short
$ dig testa.eu ds +short
Am 07.02.2018 um 12:12 schrieb Reindl Harald:
Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
what's the difference, when the domain doesn't exist?
is it because .eu is signed?
On 06.02.18 16:35, Ray Bellis wrote:
Perhaps,
Am 07.02.2018 um 12:07 schrieb Matus UHLAR - fantomas:
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
what's the difference, when the domain doesn't exist?
is it because .eu is signed?
On 06.02.18 16:35, Ray Bellis wrote:
Perhaps, although I'm not sure why given that .eu is signed
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
what's the difference, when the domain doesn't exist?
is it because .eu is signed?
On 06.02.18 16:35, Ray Bellis wrote:
Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.
Are you *sure* that the domain
Am DATE hackte AUTHOR in die Tasten: Ray Bellis
> Perhaps, although I'm not sure why given that .eu is signed with NSEC3
> and opt-out.> On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
>
>> what's the difference, when the domain doesn't exist?
>>
>> is it because .eu is signed?
>
> Are you
Hello Matus,
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
>>Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
>>> our customer uses a domain that is registered, but hidden
>>> (doesn't exist in DNS).
>
> On 06.02.18 18:24, Michelle Konzack wrote:
>>I hope you know what are
On 06/02/2018 16:31, Matus UHLAR - fantomas wrote:
> what's the difference, when the domain doesn't exist?
>
> is it because .eu is signed?
Perhaps, although I'm not sure why given that .eu is signed with NSEC3
and opt-out.
Are you *sure* that the domain doesn't now actually exist in the DNS?
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
On 06.02.18 18:24, Michelle Konzack wrote:
I hope you know what are you doing, because the DNS MUST exist!
Please read the general conditions for the EU
Am 06.02.2018 um 17:24 schrieb Michelle Konzack:
Good evening,
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
Hello,
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
I hope you know what are you doing, because the DNS MUST exist!
Please read
Good evening,
Am 2018-02-06 hackte Matus UHLAR - fantomas in die Tasten:
> Hello,
>
> our customer uses a domain that is registered, but hidden
> (doesn't exist in DNS).
I hope you know what are you doing, because the DNS MUST exist!
Please read the general conditions for the EU Domain Registry!
On 06/02/2018 16:00, Matus UHLAR - fantomas wrote:
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
The domain is used by multiple organizations and we are required to forward
lookups for the domain to foreign internal servers.
The problem is, that parent
Matus UHLAR - fantomas wrote:
>
> Is it currently possible to avoid validating this particular domain?
BIND 9.11 has support for negative trust anchors, but they are supposed to
be used as a temporary workaround to allow time for breakage to be fixed -
you'll probably find
On 06/02/2018 16:00, Matus UHLAR - fantomas wrote:
> Hello,
>
> our customer uses a domain that is registered, but hidden
> (doesn't exist in DNS).
>
> The domain is used by multiple organizations and we are required to forward
> lookups for the domain to foreign internal servers.
>
> The
Am 06.02.2018 um 17:00 schrieb Matus UHLAR - fantomas:
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
The domain is used by multiple organizations and we are required to forward
lookups for the domain to foreign internal servers.
The problem is, that parent
Hello,
our customer uses a domain that is registered, but hidden
(doesn't exist in DNS).
The domain is used by multiple organizations and we are required to forward
lookups for the domain to foreign internal servers.
The problem is, that parent domain (.eu) indicates that the domain is to be
-Ursprüngliche Nachricht-
Von: Evan Hunt [mailto:e...@isc.org]
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
I'm just wondering, is an option like unbound's domain-insecure
intentionally not implemented in in BIND? Or did just nobody care
enough to implement
If the zone isn't signed, it shouldn't be trying to validate it as there's
nothing to validate. Unless this fictional TLD now has a real delegated
counter-part?
Stuart
Just for clarification:
If a TLD does not exist, it can neither be signed nor unsigned.
And, officially, the mentioned TLD
Unfortunately we can't sign the fictional TLD, since we are neither master
nor slave of the zone.
We are just forwarding our queries to a foreign authorative Server.
Grüße,
Stefan
If the zone isn't signed, it shouldn't be trying to validate it as there's
nothing to validate. Unless this
NSEC.
W
On Wed, Jan 14, 2015 at 5:12 PM, Stuart Browne
stuart.bro...@bomboratech.com.au wrote:
Unfortunately we can't sign the fictional TLD, since we are neither master
nor slave of the zone.
We are just forwarding our queries to a foreign authorative Server.
Grüße,
Stefan
If the zone
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
I'm just wondering, is an option like unbound's domain-insecure
intentionally not implemented in in BIND? Or did just nobody care
enough to implement it yet?
I have resisted implementing it because it's too easy for an operator to
internally, all Documentations etc...
I wouldn't be surprised if they are not even aware of the problem, yet.
Regards,
Stefan
-Ursprüngliche Nachricht-
Von: Evan Hunt [mailto:e...@isc.org]
Gesendet: Mittwoch, 14. Januar 2015 09:13
An: Lasche, Stefan
Cc: BIND Users
Betreff: Re: Disable
On 14/01/2015 09:34, stefan.las...@t-systems.com wrote:
Our customer uses a fictional Toplevel Domain[...]
Can you flip the problem on its head, by signing the fictional TLD and
deploying managed-keys (or trusted-keys) on the validating resolvers?
Graham
Hi Chris,
While you wait for this to become generally available, you can do what I like
to do for my customers: Use two layers of recursive DNS servers. The first
layer takes queries from clients, knows about your insecure domains
(through stub zones, slave zones, or conditional
Hi Daniel,
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
Also a nice idea for a workaround :) But it did not work for me.
This is what I tried:
Options {
Our customer uses a fictional Toplevel Domain[...]
Can you flip the problem on its head, by signing the fictional TLD and
deploying managed-keys (or trusted-keys) on the validating resolvers?
Graham
Unfortunately we can't sign the fictional TLD, since we are neither master nor
slave of
On Jan 13, 2015, at 2:35 AM, stefan.las...@t-systems.com wrote:
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
[...]
I'm just
Hello Stefan
You may also try to disable all DNSSEC algorithms for a zone:
https://lists.dns-oarc.net/pipermail/dns-operations/2014-October/012282.html
Regards,
Daniel
On 13.01.15 14:53, stefan.las...@t-systems.com wrote:
Hi Mukund
and thanks a lot for pointing that out!
It is already
Hi @all,
I know that BIND has no feature to disable DNSSEC validation for selected
Zones/Domains (when working as a recursor).
One can only enable/disable DNSSEC validation globally per view (as a boolean
on/off).
I found that Microsoft's DNS Server has a feature to skip the validation
Hi Stefen
On Tue, Jan 13, 2015 at 11:35:26AM +0100, stefan.las...@t-systems.com wrote:
Some of the internal Domains of our customers will fail the
proof-of-non-existence. While this is technically correct, we still
need access to their internal Domain to do our business... So the
current
Hi Mukund
and thanks a lot for pointing that out!
It is already more than I was hoping for :)
Regards,
Stefan
BIND will get support for negative trust anchors in 9.11, which will provide
the feature that you seek. An implementation is now in the master branch.
stefan.las...@t-systems.com stefan.las...@t-systems.com wrote:
I know that BIND has no feature to disable DNSSEC validation for
selected Zones/Domains (when working as a recursor).
BIND 9.11 will have negative trust anchors.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Fair
- Original Message -
In message 483759859.6291670.1398781076480.javamail.zim...@redhat.com,
Tomas H
ozza writes:
Hi.
I'm trying to disable DNSSEC/EDNS for the lwresd using the
following lwresd.conf:
options {
directory /var/named/;
dnssec-enable
Hi.
I'm trying to disable DNSSEC/EDNS for the lwresd using the
following lwresd.conf:
options {
directory /var/named/;
dnssec-enable no;
dnssec-validation no;
pid-file /run/named/lwresd.pid;
session-keyfile /run/named/session.key;
};
lwres
In message 483759859.6291670.1398781076480.javamail.zim...@redhat.com, Tomas H
ozza writes:
Hi.
I'm trying to disable DNSSEC/EDNS for the lwresd using the
following lwresd.conf:
options {
directory /var/named/;
dnssec-enable no;
dnssec-validation no;
pid
My DNS appliances are not well-suited for this yet, so I want to disable DNSSEC
for my for domain. Anyone know the proper steps to take and what order if
there is any order? I have a DS record in my parent domain. Do I need to
remove that first? Thanks in advance.
Eric
On 01/07/2014 05:01 PM, Eric Davis wrote:
My DNS appliances are not well-suited for this yet, so I want to
disable DNSSEC for my for domain. Anyone know the proper steps to
take and what order if there is any order? I have a DS record in
my parent domain. Do I need to remove that first
@lists.isc.org
[mailto:bind-users-bounces+eric=rockefeller@lists.isc.org] On Behalf Of
Georg Kahest
Sent: Tuesday, January 07, 2014 10:12 AM
To: bind-users@lists.isc.org
Subject: Re: Disable DNSSEC
On 01/07/2014 05:01 PM, Eric Davis wrote:
My DNS appliances are not well-suited for this yet, so I
On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote:
So I guess my DS record has the same TTL as my default TTL for my records?
My default is 8 hours, so if I wait 8 hours after I remove the DS from my
parent zone then I should be ok? My parent zone is a TLD(.edu).
The DS record is
Subject: Re: Disable DNSSEC
On Tue, Jan 07, 2014 at 04:24:31PM +, Eric Davis wrote:
So I guess my DS record has the same TTL as my default TTL for my records?
My default is 8 hours, so if I wait 8 hours after I remove the DS from my
parent zone then I should be ok? My parent zone is a TLD(.edu
On Tue, Jan 07, 2014 at 04:34:27PM +, Eric Davis wrote:
Duh...silly mistake...I did a DIG on the NS record..Once the DS record is
removed DNS queries should work fine right? Thanks Bill.
Once the DS record is removed from the .edu zone, queriers won't expect your
zone to be signed any
Once the DS record is removed from the .edu zone, queriers won't
expect your zone to be signed any more. At that point, you can leave
it signed or remove the signatures, and it won't make any difference.
You just need to wait at least 24 hours from the time the record
disappears from the
dnssec validation for a single zone?
Hello,
Is there a way to disable dnssec validation for a single zone? The people
who run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates
ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is
unsigned, and has no corresponding
On Aug 5 2011, Mark Andrews wrote:
In message ca603693.38da5%ron.dod...@lmco.com, Dodson, Ron writes:
Hello,
Is there a way to disable dnssec validation for a single zone?
No.
Without wanting to argue about whether it would be appropriate to use
such a mechanism (if it existed
Hello,
Is there a way to disable dnssec validation for a single zone? The people who
run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates
ojp.usdoj.gov and has a DS record for ojp.usdoj.gov. Ojp.usdoj.gov is
unsigned, and has no corresponding dnskey record, so validation
In message ca603693.38da5%ron.dod...@lmco.com, Dodson, Ron writes:
Hello,
Is there a way to disable dnssec validation for a single zone?
No.
The people wh
o run the dns for ojp.usdoj.gov have broken dnssec. Usdoj.gov delegates ojp.
usdoj.gov and has a DS record for ojp.usdoj.gov
to disable dnssec validation on a per-zone basis for
internal pseudo TLDs?
Antonio Querubin
808-545-5282 x3003
e-mail/xmpp: t...@lava.net
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
First i´ve fixed the problem with edns no;
Jan
On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who looks into packets and block them
if the filter don´t know a flag.
Some high security
In message d7c8ada3-f213-4ae9-9fbe-8d613d97d...@kumari.net, Warren Kumari wri
tes:
On Jun 8, 2010, at 6:26 AM, Jan Buchholz wrote:
Thanks @all, sorry i was out of office yesterday. I'll discuss the
issue this week on the german Linux Tag in Berlin.
What your meaning off firewalls, who
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
I was taken aback to read this, because I remembered seeing code in named
that clears the DO bit if dnssec-enable is no:
In message 4c09c562.7030...@dougbarton.us, Doug Barton writes:
Ok, so my guess as to ISC's motivations was pretty much on the mark, and
speaking with my Guy who loves the Internet and wants to see things
work better for everybody hat on, I am totally in agreement. That's why
I said I
On Fri, Jun 4, 2010 at 11:32 PM, Doug Barton do...@dougbarton.us wrote:
With my business hat on though I can see at least 2 possible use cases for
DO=0. The first being related to this thread, I can't/won't fix/remove the
firewall today, I just want my resolver to work. The hapless user in
On 06/04/10 21:58, Paul Vixie wrote:
Doug Bartondo...@dougbarton.us writes:
With my business hat on though I can see at least 2 possible use cases for
DO=0. The first being related to this thread, I can't/won't fix/remove the
firewall today, I just want my resolver to work.
it works. it's
On 06/05/10 07:22, Mark Andrews wrote:
In message4c09c562.7030...@dougbarton.us, Doug Barton writes:
The resolver works. It figures out that it can't make the new style
queries and falls back to the old style queries. If the user is really
worried they can turn off EDNS and with that DO.
In message 201006060107.o5617ep4091...@drugs.dv.isc.org, Mark Andrews writes:
In message 4c0aad2a.4010...@dougbarton.us, Doug Barton writes:
On 06/05/10 07:22, Mark Andrews wrote:
In message4c09c562.7030...@dougbarton.us, Doug Barton writes:
The resolver works. It figures out that
hello together,
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
Thanks,
Jan
___
bind-users mailing list
bind-users@lists.isc.org
https
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving* DNSSEC records.
I think you want 'dnssec
2010/6/4 Paul Wouters p...@xelerance.com:
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving
: disable dnssec in bind resolver
2010/6/4 Paul Wouters p...@xelerance.com:
On Fri, 4 Jun 2010, Jan Buchholz wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe
On Fri, Jun 04, 2010 at 05:36:21PM +0200, Jan Buchholz wrote:
i mean the parameter is the default.
Actually, since 9.5.0, the default has been dnssec-validation yes.
(Note, however, that DNSSEC validation doesn't occur unless the resolver
has a trust anchor configured. So you there has to be a
If it doesn't, though, try edns no. You can't have a DO bit if you
don't have a place to put one.
This seems a bit like my left leg hurts, so i stabbed my right leg.
Exactly. Now you aren't lopsided.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
, 2010 9:20 am
Subject: Re: disable dnssec in bind resolver
To: Evan Hunt e...@isc.org
CC: bind-users@lists.isc.org
On Fri, 4 Jun 2010, Evan Hunt wrote:
I'm pretty sure dnssec-enable no does suppress the DO bit. If it
doesn't, that's probably a bug.
Yeah, I thought the default changed when all
On 6/4/2010 1:52 PM, R. Kevin Oberman wrote:
First, dns-validation is 'off' by default in all BIND versions. It's
dnssec-enable that started defaulting to 'yes'.
No, it isn't. The only reason that dnssec-validation appears off is
that without trust anchors, it doesn't do anything. Insert a
At Fri, 4 Jun 2010 16:50:26 +0200,
Jan Buchholz 96de...@googlemail.com wrote:
how i can disable dnssec in the bind resolver ? My firewall don´t let
packets with D0 flag through. I´ve tried 'dnssec-enable no;' , but
this don´t fix the problem.
I believe that only disables *serving
First, dns-validation is 'off' by default in all BIND versions. It's
dnssec-enable that started defaulting to 'yes'.
Correct in the sense that there are no configured trust anchors, so
validation doesn't happen.
Incorrect in the sense that the dnssec-validation option *is* turned on
by
On 06/04/10 11:19, JINMEI Tatuya / 神明達哉 wrote:
The DO bit is always set whenever the server includes an EDNS OPT RR
(I thought it was based on the specification, but don't remember which
sentence of which RFC says so).
Given that concern about whether or not it's a good idea to always send
Doug Barton do...@dougbarton.us writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the admin a
choice would be a welcome thing.
On 06/04/10 19:40, Paul Vixie wrote:
Doug Bartondo...@dougbarton.us writes:
I have a guess at why ISC would want to enable it by default, and even in
the presence of an option to turn it off I'm still Ok with that default.
But if it's not a standards requirement to have it on, giving the
Doug Barton do...@dougbarton.us writes:
On 06/04/10 19:40, Paul Vixie wrote:
...
unless a new IETF RFC comes along and disambiguates the meaning of DO
such that it's only to be set if the requestor thinks it has a
reasonable shot at validating the resulting metadata, i expect BIND to
keep
84 matches
Mail list logo