RE: forced to execute DNS64

2016-10-11 Thread LEE SUKMOON
Thanks for reply. But a client's network is ipv6 network. Client obtains a ipv6 address. Then client connect to global ipv6 address over oversea. But client obtains a ipv4 address(DNS64 translated ipv6 address). Then client connect to NAT64, and connect to local ipv4 service(ex: CDN). I tried

Is BIND9 DNSSEC validation too strict?

2016-10-11 Thread Daniel Stirnimann
Dear all, BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing to validate the following non-existent domain name: dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec ; <<>> DiG 9.8.3-P1 <<>> @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec ; (1 server found) ;; glob

Re: Is BIND9 DNSSEC validation too strict?

2016-10-11 Thread Tony Finch
Daniel Stirnimann wrote: > > BIND9 (and not Unbound, PowerDNS Recursor, Google Public DNS) is failing > to validate the following non-existent domain name: > > dig @184.105.193.73 ABCD._openpgpkey.posteo.de A +dnssec > > I believe, the reason for the validation error for the above domain name > is

Re: BIND9 DNSSEC algorithm rollover for inline-signed zone

2016-10-11 Thread Sebastian Wiesinger
* Jim Popovitch [2016-10-10 23:42]: > On Mon, Oct 10, 2016 at 7:51 AM, Sebastian Wiesinger > wrote: > > > > http://dnsviz.net/d/blau.beer/V_tTtQ/dnssec/ > > > > After the DS TTL expired I removed the old DS, so the zone now looks > > like this: > > > > http://dnsviz.net/d/blau.beer/V_t2Hg/dnssec/

Re: forced to execute DNS64

2016-10-11 Thread Mark Andrews
Exclude Facebook's IPv6 range. dns64 { exclude { :::0:0/96; // mapped addresses 2a03:2880::/29; // Facebook }; }; In message <389ab5475d0a441a9cc175f0326e5...@skt-tnetpmx2.skt.ad>, LEE SUKMOON writes: > > Thanks for reply.

RE: forced to execute DNS64

2016-10-11 Thread LEE SUKMOON
Thank you. Your advice is very well done. Thank you again. But /29 prefix is not work. /32 prefix is good work. dns64 64:ff9b::/96 { clients { acl_ipv6; ::1; }; exclude { 2a03:2880::/32; // Facebook }; }; [root@DNS_STG:/root] $ dig @::1 m.facebook.com

Re: forced to execute DNS64

2016-10-11 Thread Mark Andrews
I don't understand why you are saying "But /29 prefix is not work." FaceBook is 2a03:2880::/29 and the acl code should handle this. Mark [rock:~/git/bind9/xx] marka% whois -r 2a03:2880:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is sub

RE: forced to execute DNS64

2016-10-11 Thread LEE SUKMOON
Sorry. I made mistake. /29 prefix is good work. My dns is use expired cache before update cache. (below 600 TTL is expired cache.) Thanks. [root@DNS_STG:/root] $ dig @::1 m.facebook.com ; <<>> DiG 9.9.9-P3_NLIA_NS_160928 <<>> @::1 m.facebook.com ; (1 server found) ;; global options: