dig +dnssec +cd soa com
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
On Tue, 10 May 2011 15:17 +1000, Mark Andrews ma...@isc.org wrote:
dig +dnssec +cd soa com
dig +dnssec +cd soa com
; DiG 9.8.0-P1 +dnssec +cd soa com
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 55492
;; flags:
date -u on the nameserver. It is Tue 10 May 2011 05:32:13 UTC
as I send this.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
On Tue, 10 May 2011 15:32 +1000, Mark Andrews ma...@isc.org wrote:
date -u on the nameserver. It is Tue 10 May 2011 05:32:13 UTC
as I send this.
here,
date -u
Mon May 9 22:34:59 UTC 2011
hrm? not good :-/
switch time server daemon to a known signed domain (clock.isc.org)
service ntp
In message 1305006478.3040.1450174...@webmail.messagingengine.com, writes:
On Tue, 10 May 2011 15:32 +1000, Mark Andrews ma...@isc.org wrote:
date -u on the nameserver. It is Tue 10 May 2011 05:32:13 UTC
as I send this.
here,
date -u
Mon May 9 22:34:59 UTC 2011
hrm? not
On Tue, 10 May 2011 16:15 +1000, Mark Andrews ma...@isc.org wrote:
looks good, right?
yes.
MANY thanks! i wouldn't have easily found this ...
DNSSEC only needs wristwatch time accuracy however it is easy to
get the time wrong if the server is configured in the wrong timezone.
The
In message 1305008349.11252.1450182...@webmail.messagingengine.com, writes
:
On Tue, 10 May 2011 16:15 +1000, Mark Andrews ma...@isc.org wrote:
looks good, right?
yes.
MANY thanks! i wouldn't have easily found this ...
DNSSEC only needs wristwatch time accuracy however it is
On 05/10/2011 07:58 AM, Mark Andrews wrote:
date -u may now be correct but is plain date? If it isn't you
should correct timezone for the server so that both date and date
-u are correct. Otherwise you leave the server open to the
accidental misconfiguration that probably caused this problem
hi,
not sure how to read that. now that my time's correct again, can/should
I leave the server as is? or is there a specific recommendation for
time setup on a DNS server?
On Tue, 10 May 2011 16:58 +1000, Mark Andrews ma...@isc.org wrote:
date -u may now be correct but is plain date?
Hi.
My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
as DNSSEC-valid.
I've both internal and external views:
-- internal is authoritative and provides recursion for LAN clients
-- external serves only as an authoritative hidden-primary feeding
slaves via AXFR.
all good.
On 05/09/2011 19:32, dchilton+b...@bestmail.us wrote:
Hi.
My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
as DNSSEC-valid.
I've both internal and external views:
-- internal is authoritative and provides recursion for LAN clients
-- external serves only as an
hi,
On Mon, 09 May 2011 20:11 -0700, Doug Barton do...@dougbarton.us
wrote:
...
the fact that un-signed domains aren't returning data either is a problem.
that's not returning DATA *and* reporting a SERVFAIL. not sure if
they're one and the same issue.
Split the features you described
This sounds like you have configured 'must-be-secure .;' which
disables secure to insecure transitions within the must-be-secure
namespace.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742
Among numerous examples of folks running Bind9 in split-view mode
similar to my config, I found this unanswered DNSSEC-related post,
DNSSEC Validating Resolver and Views
https://lists.isc.org/pipermail/bind-users/2010-March/079166.html
which seems, at least, similar to the issue I'm seeing,
Hi,
On Tue, 10 May 2011 13:52 +1000, Mark Andrews ma...@isc.org wrote:
This sounds like you have configured 'must-be-secure .;' which
disables secure to insecure transitions within the must-be-secure
namespace.
I'd not yet heard of that option. It's not present in my
Do you have dnssec-lookaside configured and if so how?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
In message 130403.6599.1450152...@webmail.messagingengine.com, writes:
Among numerous examples of folks running Bind9 in split-view mode
similar to my config, I found this unanswered DNSSEC-related post,
DNSSEC Validating Resolver and Views
hi,
On Tue, 10 May 2011 14:48 +1000, Mark Andrews ma...@isc.org wrote:
What does dig DS adobe.com return?
dig DS adobe.com
; DiG 9.8.0-P1 DS adobe.com
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 37646
;;
18 matches
Mail list logo