RE: How to validate DNSSEC signed record with dig?

2012-02-06 Thread Marc Lampo
Hello, To be precise : bind.odvr.dns-oarc.net. validates but seems to ignore expired (but otherwise valid) signatures. unbound.odvr.dns-oarc.net. validates without ignoring expired signatures. Kind regards, Marc Lampo Security Officer EURid vzw/asbl -Original Message- From: Spain, D

Re: bind crash with max-refresh-time 0;

2012-02-06 Thread Matus UHLAR - fantomas
>Does this also stop a slave from checking when it receives a >notify? The documentation isn't clear on that. configure master not to send notifies then. Alternatively, you can deny notifies from master. But the first Mark's question is still important: What are you trying to achieve? On 03.02.

Re: bind crash with max-refresh-time 0;

2012-02-06 Thread Miek Gieben
[ Quoting at 13:32 on Feb 6 in "Re: bind crash with ..." ] > >needed to go in production. (Sadly bind bugs aren't searchable on the > >internet). > > > >So to work around this I thought: kill the SOA timers (messing with the > >zone is not an option) and only use notifies. But then bind crashes :

RE: How to validate DNSSEC signed record with dig?

2012-02-06 Thread Tony Finch
Spain, Dr. Jeffry A. wrote: > > Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) > doesn't appear to offer DNSSEC validation, and 78.46.213.227 > (rms.coozila.com) doesn't respond to my query at all. It's worse than that. Google Public DNS doesn't support DNSSEC at all, so

Re: Same Transaction ID queries

2012-02-06 Thread Tony Finch
Samer Khattab wrote: > What is BIND internal logic when such a series of queries are received, and > why it would not answer to all requests. Each query in progress from a given client must have a different ID, so queries with the same ID are logically the same query which only needs one reply.

RE: zone serial (0) unchanged. zone may fail to transfer to slaves.

2012-02-06 Thread Spain, Dr. Jeffry A.
>> Feb 4 15:53:46 nsb0s named[9090]: zone jspain.us/IN (signed): zone serial >> (2012013003) unchanged. zone may fail to transfer to slaves. > I suspect that is is benign. Had you just thawed the server/zone? After a review of the logs over the past several days, I see that this message occurr

Windows 2008 R2 validating DNSSEC resolvers

2012-02-06 Thread Matthew Huff
I know this is a bind list, but does anyone know any public information about when/if Microsoft is going to release a SHA2 compatible DNS server so it can be used as a validating DNSSEC resolver without forwarders? Since the root trust anchor is published in SHA2, currently it can't be used (unl

RE: Windows 2008 R2 validating DNSSEC resolvers

2012-02-06 Thread Spain, Dr. Jeffry A.
> I know this is a bind list, but does anyone know any public information about > when/if Microsoft is going to release a SHA2 compatible DNS server so it can > be used as a validating DNSSEC resolver without forwarders? Since the root > trust anchor is published in SHA2, currently it can't be u

Re: Unknown RR in .in domain

2012-02-06 Thread Alan Clegg
On 2/6/2012 1:35 PM, Gaurav kansal wrote: > Can anyone please tell me why TYPE50 RR is showing in response > coming from .in domain Because your version of DIG does not understand NSEC3 records. http://tools.ietf.org/html/rfc5155 AlanC -- a...@clegg.com | 1.919.355.8851 signature.as

RE: Unknown RR in .in domain

2012-02-06 Thread Gaurav kansal
Thanks Alan. I got it. But why I am getting two NSEC3 records for .in domain?? Shouldn't I get one NSEC3 RR only 9sf2fomuor72m596ccsodg86639e6odr.in. 86400 IN TYPE50 \# 39 0101000104D399EAAB144F26941DE035CEBAF0F6DDC54DA445170C24 05870007220290 9sf2fomuor72m596ccsodg86639e6odr

RE: Unknown RR in .in domain

2012-02-06 Thread Chris Thompson
On Feb 6 2012, Gaurav kansal wrote: Thanks Alan. I got it. But why I am getting two NSEC3 records for .in domain?? Shouldn't I get one NSEC3 RR only Because the "in" servers are denying the existence of a signed delegation for "nknsec.in", while (because the zone uses opt-out) al

Re: Unknown RR in .in domain

2012-02-06 Thread Mark Andrews
In message <001301cce503$0716a950$1543fbf0$@nic.in>, Gaurav kansal writes: > Thanks Alan. > I got it. > > But why I am getting two NSEC3 records for .in domain?? Shouldn't I > get one NSEC3 RR only Because that is what is required. We are sending the proof thay that a DS record does

Multiple BIND instances

2012-02-06 Thread sasa sasa
Hi, I got a server with 16GB memory, want to install 2 BIND on CentOS, one cache only and another authoritative. Is it better to install 2 OS virtually and run BIND in them or run 2 instances of BIND on the same OS? I mean what is the best practice to take advantage of the hardware resources wit

Re: Multiple BIND instances

2012-02-06 Thread Jeff Peng
于 2012-2-7 15:09, sasa sasa 写道: I got a server with 16GB memory, want to install 2 BIND on CentOS, one cache only and another authoritative. Is it better to install 2 OS virtually and run BIND in them or run 2 instances of BIND on the same OS? I mean what is the best practice to take advantage