Using TCP for checking

I'm involved in the CO.ZA Registry. In the process of registering a domain name in the co.za zone - we do a bunch of DNS checks using 'dig'. for each nameserver, a) check that the zone exists (fetch the SOA), b) fetch the NS RRSet count and compare entries. c) if Nameserver inside the

Re: [DNSSEC] SERVFAIL when resolving .gov through DLV

Does work with bind 9.6.0 - as NSEC3 is available... ; DiG 9.6.0-P1 +dnssec @127.0.0.1 SOA gov. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41388 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 1 ;; OPT

Re: tcp versus udp

On Wed, 2009-05-06 at 07:59 +0200, Stephane Bortzmeyer wrote: On Wed, May 06, 2009 at 12:00:12AM -0400, Danny Mayer ma...@gis.net wrote a message of 39 lines which said: That's nonsense. That's Peter Dambier. If you try to fix every mistake he makes, you're not over soon... Some

Re: [DNSSEC] SERVFAIL when resolving .gov through DLV

On Tue, 2009-05-05 at 13:45 -0500, Jeremy C. Reed wrote: On Tue, 5 May 2009, Stephane Bortzmeyer wrote: This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's DLV: https://www.isc.org/node/437 Question on using trusted-keys: There are two public sources of trusted-keys

Re: Automating a KSK rollover

I've added some automation around signing zones. For the KSK - it has a default life of 12 month. I'm looking at having two valid KSK's running with an overlap of 6 month. This means updating dlv.isc.org every 6 months, adding a new key, removing the old key and leaving the key thats 6 months old.

Re: DNSKEY Validation

, Danny Mayer writes: Stephane Bortzmeyer wrote: On Sun, Jul 12, 2009 at 08:42:27PM +0200, Mark Elkins m...@posix.co.za wrote a message of 31 lines which said: Arg 3 should be 5 (or maybe 3) - the algorithm. No, you must bnot use a hard-wired list in your code

Re: DNSKEY Validation

On Tue, 2009-07-14 at 17:50 +1000, Mark Andrews wrote: In message 1247555725.13064.4.ca...@ilinux, Mark Elkins writes: OK - so I accept that the algorithm will change. What about some sort of validation of the base-64 part of the key? Is there a checksum byte/word? Is there a way

Re: Format of 'dig -k' TSIG key file?

On Thu, 2009-07-30 at 17:40 -0400, Joseph S D Yao wrote: What does work is: dig -y mynet.:Ain/tGonnaTellNoWay== axfr example.zone @other.example.zone but I really, really find this not altogether pleasant. This gets a bit more funkie when you are not using the default key-algorithm of

Re: is TSIG key rollover possible?

Don't think TSIG Key roll-over is possible - in the DNSSEC sense. Don't think it is as necessary either. I have separate TSIG relationships between my Primary and Secondary peers. I use the same TSIG for all zones that are on both peers - the TSIG is to secure the path between the two peers. I

Re: Reasonable setup of a dnssec aware recursive resolver

On Mon, 2010-03-29 at 11:17 +0200, Mark Elkins wrote: I'm trying to come up with an interim solution for my ISP's DNS Recursive Resolver that is DNSSEC aware. My thoughts so far:- Use BIND 9.6.1-P3 (this is the latest version named that Gentoo Linux gives me). Ouch! - bitten by the signing

Key ID from DNSKEY - how?

I would like to calculate the Key-ID from a DNSKEY record. I'd prefer to do this in PHP as this is inside some existing PHP (Web) scripts but I guess calling a C program would not be too inconvenient. I'd like to index records (ie DNSKEY and DS Records) according to their Key-ID - and present

DNSSEC Keys - and trying to not leaving them around

There are some parts of Key management with DNSSEC that I don't quite get - so I'm hoping for some feedback. I'm using BIND 9.7.2-P3 and running dnssec-signzone -3 abcd -o example.com -p -t -A example.com I believe that:- 1 - The KSK is used to sign the ZSK. 2 - The ZSK is used to sign the rest

Re: IPv4 IPv6 named processes on a dual stack host

On Tue, 2011-05-24 at 13:22 -0500, Timothy Stoddard wrote: Has any one run into a issue with two named processes running on the same host. We want to begin serving up DNS on our IPv6 address space and do not want to duplicate each of our DNS servers. We have started two named processes one

Re: How to Setup a Name Servers visible on Internet?

Eric, Did you know that UniForum SA (the CO.ZA administrators) provide free DNS classes for people that live in South Africa? (Intro and Advanced). So you'd need to get over to Johannesburg and/or Cape Town and pay for some accommodation - but the courses are free. You can see and book for the

Re: Format of the IPv6 reversed zone

On Thu, 2011-07-28 at 14:07 -0400, Khuu, Linh Contractor wrote: Hello, I’m new to IPv6 configuring in BIND. I need help. The forward zone is simple enough with record, but the reversed zone is a bit confusing to me. For example, I want to add a hostname of www.example.com to

Re: CNAME or A record?

] VirtualHost [2001:1:1::80] ServerName domain.com ServerAlias www.domain.com ... /VirtualHost -- Mark Elkins m...@posix.co.za Posix Systems ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind

Re: DNSSEC Signing Key Questions

to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Elkins m...@posix.co.za Posix Systems ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users

Mixing Algorithms for DNSSEC

me - these Keys take ages in the real world to migrate using reasonable timings - do I have to Zap all my Keys - redo all zones. Is this always the case when an Algorithm changes? Versions: BIND 9.7.3-P3, dnssec-keygen: 9.7.3, dnssec-signzone: 9.7.3-P3 -- Mark Elkins m...@posix.co.za Posix Systems

Re: Mixing Algorithms for DNSSEC

On Sat, 2011-10-15 at 08:11 -0700, Casey Deccio wrote: On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins m...@posix.co.za wrote: Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check the results. Add a new KSK using RSASHA256 - prep the zone

Re: Mixing Algorithms for DNSSEC

algorithm - then just switch over to creating KSK's with RSASHA256 as well. I just never knew switching Algorithms would bite me. No one ever told me. On Sat, 2011-10-15 at 20:58 +0100, Matthew Seaman wrote: On 15/10/2011 20:32, Mark Elkins wrote: So what you are saying in practical terms

Re: Mixing Algorithms for DNSSEC

On Sun, 2011-10-16 at 12:13 +0100, Phil Mayers wrote: On 10/15/2011 08:32 PM, Mark Elkins wrote: So what you are saying in practical terms is in order to migrate from RSASHA1 to RSASHA256, wait for the next needed creation of a ZSK (which cycle once a year) and then at exactly the same

Algorithm 'When to use EDNS0'?

I'm Running Bind 9.7.3-P3 (Gentoo build)... When does 'EDNS' get brought into the picture? A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) - but a dig without '+dnssec' and actually asking for the 'dnskey' records for a domain - which is over 512 bytes - does a Truncated,

Re: dnssec-keygen not responding

On Wed, 2011-11-30 at 13:45 -0600, Michael Graff wrote: On Nov 30, 2011, at 3:01 AM, Torsten Segner wrote: In RHEL there is a RPM package called unuran. It's a random number generator daemon using either a piece of hardware or /dev/urandom as source. Running this will provide enough

Re: Algorithm 'When to use EDNS0'?

On Tue, 2011-11-29 at 15:36 +0200, Mark Elkins wrote: When does 'EDNS' get brought into the picture? A 'dig' with '+dnssec' works just fine (more than 512 bytes over udp) - but a dig without '+dnssec' and actually asking for the 'dnskey' records for a domain - which is over 512 bytes - does

Re: DNSSEC authentication and ad parameter

It is working. -- $ dig test.nknsec.in +dnssec ; DiG 9.8.1 test.nknsec.in +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4578 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT

Re: DNSSEC made simple, is this possible?

On Wed, 2012-01-11 at 19:26 +0100, Jan-Piet Mens wrote: Next great thing would be for ISC to support the Soft-HSM that OpenDNSSEC uses. I believe that this would make the step of moving to a real hardware HSM a lot easier (if necessary). BIND has supported the PKCS#11 interface

RE: nslookup/dig question

On Wed, 2012-01-25 at 16:57 +, JeanPaul Thomsin wrote: Antonio and John: You were right on. /var/log/messages indicated there was a problem with named.conf. I had done a check with named-checkconf and it found no errors, so i thought it was OK, but the logs said otherwise.

Re: bind 9.9 inline-signing issue..

I agree with you. I took your example and installed bind 9.9.0b2 I also updated my 'soa' in the unsigned... Am getting the following in my log... Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901 Jan 29...: zone test1.co.za/IN (signed): loaded serial 200105 (DNSSEC signed)

Re: bind 9.9 inline-signing issue..

this for over a year now and it works well for me (organised clutter). On Sun, 2012-01-29 at 23:37 +0200, Mark Elkins wrote: I agree with you. I took your example and installed bind 9.9.0b2 I also updated my 'soa' in the unsigned... Am getting the following in my log... Jan 29...: zone test1

Re: trying DNSSEC with 9.9-rc1

On Wed, 2012-02-01 at 17:18 -0500, Michael W. Lucas wrote: Hi, I'd put off DNSSEC because of the high maintenance requirement. But with 9.9 and inline signing, it looks like I can now do DNSSEC the way I need (static zone files that work with legacy tools, automatic key rotation, etc.) I

Re: DNSSEC Generating Zone Key hanging

On Sat, 2012-04-21 at 20:28 -0400, Bill Owens wrote: On Sun, Apr 22, 2012 at 01:11:55AM +0100, Damian Myerscough wrote: Hello, I was setting up BIND DNSSEC and when I issue the following command the process never finishes. dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com

Re: DNSSEC Generating Zone Key hanging

On Sun, 2012-04-22 at 16:31 +0100, Damian Myerscough wrote: Thanks a lot, I have now resolved this issue. However, I was following the DNSSEC in 6 minutes guide [1] for learning purposes and I have followed all the steps up to you are now serving DNSSEC signed zones. Reading the presentation

Bind 9.9.x inline signing

Eventually got down to some experimenting again. These are observations - which may help others. I followed example 1 of Evan Hunts https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html (I'm using bind 9.9.1) I did change the name of the zone and didn't bother with

Re: VMware Bind

Just make sure you have an adequate supply of Randomness if playing with DNSSEC (or any key generation stuff). On Tue, 2012-06-05 at 13:33 -0400, jcarrol...@cfl.rr.com wrote: Technically VMware is not the OS but the hypervisor that controls other OS's, such as Windows or Linux. I've

Re: Bind 9.9.x inline signing

-keygen' invocation looks like: dnssec-keygen -a RSASHA256 -b 1024 dnssec-keygen -fk -a RSASHA256 -b 2048 So I have a beautiful NSEC managed zone - on to test with NSEC3! On Sun, 2012-06-03 at 18:01 +0200, Mark Elkins wrote: Eventually got down to some experimenting again

Re: Verify raw data within slaves on 9.9.x

On Mon, 2012-06-11 at 15:51 -0700, Walter Smith wrote: Folks, What tools/commands I can run to get plain ascii/text data out of modern raw/binary on BIND 9.9.x slaves? I just want to verify that changes are correct down to the slaves. So - I can check-in these changes into svn etc. If

Re: Seeking Advice on DNSSEC Algorithm Rollover

On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote: I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8. The Bv9ARM doesn't discuss this procedure explicitly as far as I can tell, but section 4.9 presents some clues. I'd like to ask the experts on this list if the

Re: rndc signing -nsec3param

Have a look in the BIND log files when you are doing this Look for lines containing: zone_addnsec3chain for example, try changing just the salt... (which is something one might do periodically...) It all starts to make more sense. I agree with the original posting thought - some more

Re: Version statement...

I don't understand the problem... Before I changed my 'named.conf' and added a 'version BIND;' line to the options section - I got... dig @localhost chaos txt version.bind +short 9.9.1-P2 Stopped and restarted BIND, Now I get... # dig @localhost chaos txt version.bind +short Porcupine

Re: ho to filter hundeds of domains ?

On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote: On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this,

Re: Suspecious DNS traffic

Maybe I can try. In the very old days - when BIND as a recursive resolver was chasing down an answer to a question, it would sent the remote authoritative DNS server the query in a UDP packet which has a query ID which was numbered sequentially. This was bad as bad people could guess your next

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD Named.

Try using a more simple MD5, short key. Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA) There was also some sort of length bug? - try 128 bit length. On Fri, 2013-03-29 at 06:19 -0600, Jim Bucks wrote: After working on this some more overnight. I can add records

Re: Understanding Kaminsky exploit w/bind

On Sun, 2013-04-14 at 21:30 -0500, Jamie Ostrowski wrote: Hello, I hope this isn't too off-topic, but I've been studying the Kaminsky DNS exploit and I have a question. According to what I've read on the topic, the Kaminsky exploit hijacks a whole domain, and that you can

Re: Reverse address entries

On Fri, 2013-06-28 at 17:54 +, Ward, Mike S wrote: Hello all, is there any reason to setup reverse address entries for a zone? I have asked some of the admins here and the consensus from them is that only A records are necessary. Is this true? (IPv4 hat on) I've taught my staff to plan

Re: Audit the consistency of zone files on DNS servers

On Fri, 2014-03-14 at 14:54 -0400, Kevin Darcy wrote: On 3/14/2014 2:39 PM, Maren S. Leizaola wrote: On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote: On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers p.may...@imperial.ac.uk wrote a message of 25 lines which said: dig @server

Re: BIND 9.10.0b1 is now available

On Wed, 2014-02-26 at 00:55 +, Michael McNally wrote: A new compile-time option, configure --enable-native-pkcs11, allows the BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module (HSM) directly instead of

Re: BIND 9.10.0b1 is now available

On Mon, 2014-03-17 at 20:06 +, Evan Hunt wrote: On Mon, Mar 17, 2014 at 08:41:13PM +0100, Mathieu Arnold wrote: Yes, it was my understanding of how HSM worked. That's why I was trying to build with OpenSSL *and* native PKCS11, to get the DNSSEC validation on one side, and PKCS11

Re: tsig-key

If it was and is now no longer working, re-sync/reset your clock on the machine. TSIG needs the clocks (your PC time) correct to within 5 minute.. On Tue, 2014-06-10 at 18:56 +0300, Mohammed Ejaz wrote: I have info blox DNS appliance and slave is BIND

Re: A record of domain name must be name server ?

On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where does 48.113.0.203.in-addr.arpa point? Some people will point it at example.com, some will point

Re: A record of domain name must be name server ?

still disagree. When there is forward--reverse checking, one may need the complete answer. I certainly have some processes that do an exhaustive check. - Kevin On 9/11/2014 3:45 AM, Mark Elkins wrote: On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote: No, what I'm saying

Re: Can I run two name servers on one host with two IP addresses?

On Thu, 2015-08-20 at 09:50 -0500, /dev/rob0 wrote: On Thu, Aug 20, 2015 at 02:07:57PM +0200, Robert Senger wrote: There are a number of providers out there offering secondary dns services for free or for a few bucks/month. Even DNSSEC is possible for free. This is good news! I knew

Re: tsig indicates error

On Fri, 2015-07-24 at 15:44 +, Managed Pvt nets wrote: On 24/07/2015 5:05:24 PM, Alan Clegg a...@clegg.com wrote: Possible problems: Mismatched keys. Mismatched key names. Mismatched clocks. Most likely mismatched key. I have to figure out how to make sure my

Re: tsig indicates error

On Fri, 2015-07-24 at 11:05 -0400, Alan Clegg wrote: Possible problems: Mismatched keys. Mismatched key names. Mismatched clocks. Yes - running some sort of Time Synchronisation is often overlooked. Check: Simultaneously run date on both machines - must be within 5 minutes of each

Re: About query response on a view

s, but separating them with views isn’t a good solution? > > @Eray Aslan, additional-from-cache and additional-from-auth settings > did the trick, now server gives “query refused” > > @Barry Finkel, yes I typed dig ww. At that point, every recursive > query gives the same output.

Re: About query response on a view

If you ever want to do DNSSEC - you are going to have a problem. If possible - have two different servers, one for inside, one for outside. This could be: (1) Two different machines (2) One machine - virtualised - each of the two virtual machines logically like (1) (3) One machine with two IP

Re: Trouble with option managed-keys

"managed-keys" is not a config option, try moving it outside the option stanza, eg options { version ""; // remove this to allow version queries listen-on{ 127.0.0.1; 192.168.21.101; }; listen-on-v6 { none; }; empty-zones-enable yes; allow-query

dig and IDN

O.S. - Lunux Gentoo. BIND/BIND Tools: BIND 9.10.4-P3 I've been using "dig axfr" to fetch signed and unsigned zones for doing comparisons. The output is easy to parse as dig gives one line records - fully qualified - etc. One of the records includes some IDN (Puny) stuff..

Re: Troubleshooting BIND stops responding

On 30/03/2017 06:35, i.chu...@volga.ttk.ru wrote: > Greetings to everyone! > > I'm an engineer at local ISP and we have to provide 2 DNS servers running > BIND for our clients. We have logs full of various BIND errors but are > unable to gain full understanding of the problem. The main problem

Re: named-checkzone with multiple $ORIGIN

Most certainly - Yes. You have a single zone here, thus only: named-checkzone example.com example.com.zone ...should work. Wait till you play with a reverse IPv6 zone - where I personally use many $ORIGIN statements - saves hours of typing and makes reading the Zones

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Another solution could be to make one of the names a CNAME pointing to the other name. -or- Just use one generic name for both services. rather than the two "service" names. Although in all honesty, I see nothing wrong with a lookup returning two answers (in a single response packet) for the

Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Put two reverse records in both the IPv4 and IPv6 reverse zones in the "125.124.123.in-addr.arpa" zone: 126 IN PTR mail.xxx.com. 126 IN PTR ns.xxx.com. and the same sort of thing in the reverse IPv6 zone. To calculate run:- 2a01:e34:::::1122:3344 and see what

Automatic Key Management

With BIND version 9.12  coming out - I'm wondering if I've missed any announcements on some form of Automatic (DNS)Key Management? Something that will create and retire keys according to some sort of policy. Does anyone have nice and up-to-date cheat sheets of the easiest way to do DNSSEC with

Re: Automatic Key Management

On 14/09/2017 16:55, Tony Finch wrote: > Mark Elkins <m...@posix.co.za> wrote: > >> With BIND version 9.12  coming out - I'm wondering if I've missed any >> announcements on some form of Automatic (DNS)Key Management? >> Something that will create and retire keys ac

Re: DNS-Format-Eroor

$ dig mumbai-m.site ns ; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;mumbai-m.site.            IN    NS ;; ANSWER SECTION: MUMBAI-M.site.        3380    IN    NS    win-1ikkrphg9jj. I seemed to have cached

Re: disable dnssec for particular domain

Thanks for providing the domain name in question (testa.eu). Indeed, port 43 whois shows no nameservers - neither does the web based whois on whois.eurid.eu, though the name does exist in the 'eu' registry system. Dig gives me nothing either... $ dig testa.eu ns +short $ dig testa.eu ds +short

Re: questions on allow-query

Reading between the lines - it sounds like you may be mixing nameserver roles, recursion with authoritative. This is not a good idea and is why other Nameserver software (NSD, UNBOUND and others) either perform one role or the other. I understand that BIND-10 was also designed like this -

Re: [BIND] RE: KSK Rollover

meone else also asked the same question but wasn't allowed to change the default behaviour. :-( So, if you are having issues running "rndc secroots", a quick suggestion would be to try appending a 'hyphen' ('-') as an additional argument and see if that helps. On 09/07/2018 06:46 PM, Tony

Re: [BIND] RE: KSK Rollover

t; Hi Mark, > > Dne 7.9.2018 v 10:49 Mark Elkins napsal(a): >> It would probably have been more helpful (speeded up finding the >> problem) if the error message "file 'named.secroots': permission denied" >> also gave the directory name that it was trying

Re: DNSSEC and secondary DNS servers

Some clarification Have you DNSSEC Signed your Domain - that is "covisp.net" because I don't see any DS records for it in the "net" zone. dig @a.gtld-servers.net. covisp.net ds flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 returns the SOA for NET - so I know I got to the

DNSSEC will eventually generate Identical Key ID's

Just for the record, although I do look from a curiosity point of view for Identical Key ID's once every few month - I've never seen them - until now. Now I have them - generated by BIND within a few days of each other... -rw-r--r-- 1 root root   431 Aug 18 00:03 Kipv6.org.za.+008+46578.key

DNSSEC and secondary DNS servers

you using to sign your zone with? Maybe I can help. Take a look at https://dnssec.co.za On 09/09/2018 08:59 PM, LuKreme wrote: > On Sep 8, 2018, at 10:21, Mark Elkins <mailto:m...@posix.co.za>> wrote: >> Have you DNSSEC Signed your Domain - that is "covisp.net >> <h

Re: [BIND] RE: KSK Rollover

It would probably have been more helpful (speeded up finding the problem) if the error message "file 'named.secroots': permission denied" also gave the directory name that it was trying to write to? Just a thought. Sometimes we don't see the obvious. On 09/06/2018 10:58 PM, Brent Swingle wrote:

Re: DNSSEC: give KSK from my domain to parent zones

On 10/04/2018 05:03 PM, Roberto Carna wrote: > Hello, thanks to both of you for your help. Now I understand I have to > contact my registrar in order to give it the DS of the KSK. > > Please I have a last question: > > I have two DNS servers running BIND 9.10, they have delegated my own >

Re: Strange DNSsec failure [was incorrectly sent Thursday night]

Works fine for me? - unless its been fixed in  the meantime. This is stock standard bind. Nothing funny at all on both the query machine and the DNSSEC aware resolver. Both run the same version of BIND. $ dig  mx1.comcast.net ; <<>> DiG 9.12.3-P4 <<>> mx1.comcast.net ;; global options:

Re: Algorithm roll-over, unexpected content in dsset-file

Signing Key), see https://tools.ietf.org/html/rfc6781#section-3.1 and https://tools.ietf.org/html/rfc8499#section-10 I don’t know exactly know what are you trying achieve, but adding only ZSK with new algorithm serves no purpose. Ondřej -- Ondřej Surý — ISC On 11 Aug 2019, at 12:59, Mark

Algorithm roll-over, unexpected content in dsset-file

Hi, Running BIND 9.14.4 on Gentoo. I've been running BIND and DNSSEC for a long time. Years ago - I changed from Algorithm 5 to 8 and am now changing from 8 to 13. My ZSK's have a lifetime of 34 days and my KSK a lifetime of 370 days. I've chosen to create a new ZSK every 17 days and KSK

Re: DNSSEC validation via DLV

I  can't comment on com.au (but looking up the Nameservers, I see the AD bit set - so DNSSEC appears to be in use.. However, co.za (and net.oza, org.za & web.za) which are managed by the ZACR (and DNS) - they are all signed and I personally have domains under these second levels - all running

Re: DNSSEC validation via DLV

your nameserver configuration to point to the signed zone file -Export your DS records (dsset) to the domain registration company (EPP). Confirm the chain.. http://dnsviz.net/d/apnic.com.au/dnssec/ Mal On 18/07/2019 4:46 pm, Mark Elkins wrote: I can't comment on com.au (but looking up

Re: DNSSEC basic information

On 2019/09/23 23:00, John W. Blue wrote: Jukka, Some odds n ends in no particular order: 1. DNSSEC was designed for external zones 1) I'd also suggest using Algorithm 13 - Elliptical Curve - for any new key creations dnssec-keygen -a ECDSAP256SHA256 ( -f KSK) Zone.being.signed This

Re: How to set up a dmarc record ?

The reason why is because you don't have a '.' at the end of "_dmarc.pasteur-cayenne.fr" so what you really have in your zone file is... "_dmarc.pasteur-cayenne.fr.pasteur-cayenne.fr." Another way of seeing this would be to do an AXFR of your zone - these mistakes then jump out at you! Why

BIND-9.16.1 & KASP

Hi all, I have been experimenting with BIND-9.16.1 & KASP. So far - it really looks great and it should greatly simplify DNSSEC for the masses. My named.conf entry:- dnssec-policy "ecdsa256-policy" {     dnskey-ttl 3600;     keys {     ksk lifetime unlimited algorithm ecdsa256;    

Re: BIND-9.16.1 & KASP

Thanks for the reply On 2020/04/14 08:42, Matthijs Mekking wrote: Mark, On 4/13/20 8:54 PM, Evan Hunt wrote: On Mon, Apr 13, 2020 at 02:22:53PM +0200, Mark Elkins wrote: Question - What are the "TYPE65534" records? What are they saying? I am using "DiG 9.16.1" so

dnssec-keygen getting dates wrong

Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much up to date. dnssec-keygen - Version: 9.16.6 I create DNSSEC Keys in a manual process and in order to see when a Key was created (so I can rotate them - etc..) I look at the Creation date inside the 'key' file #

How do I insert "CDS 0 0 0 0"?

What is the magic incantation to inserting a "CDS 0 0 0 0" record in BIND. Version - BIND 9.16.6 (Stable Release) I've read RFC8070 - which says... (https://tools.ietf.org/html/rfc8078) The contents of the CDS or CDNSKEY RRset MUST contain one RR and only contain the exact fields as shown

Re: Serial number question..

I was wondering if there was any significance in the SOA serial value $ date --date='@1297117089' Tue Feb  8 00:18:09 SAST 2011 $ date --date='@1762233707' Tue Nov  4 07:21:47 SAST 2025 ...so nope (but sort of close?) Personally - I try and use a MMDDxx format in my SOA Serial number -

Re: DNSSEC upgrade

Waiting twice the TTL is the safe option. Start counting from when you see the new DS record in the parent. To be even more pedantic, start counting after all authoritative Nameservers have the new DS record... Quite easy to do from a script. And the recommendation to move to ecdsa-p256-sha256

Re: Bind 9.11 serving up false answers for a single domain. (OT)

I think getting rid of SHA1 DS (DS type 1) records would be a reasonable thing to do. They are weaker than SHA256 DS (DS type 2) records. Generally, in life, making things simpler is a good idea and I believe that applies here too. .COM only provides DS type 2 records in the root so if there

Re: Change records in DNS slave if master is offline

Apart from master/slave now being Primary/Secondary  (mindset change after 25 years of DNS management) ... I kind of like the idea - except if the Primary server is DNSSEC Signing that zone (and DNSSEC is a really smart thing to be able to do) then editing a Secondary is not a very simple

Re: DNSSEC implementation on IPv6 PTR Zones

And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC. One suggestion though. When one signs an IPv4 reverse - use NSEC - as everyone can guess what is there anyway. With IPv6 - you might want to use NSEC3 - as there can be huge holes in the reverse zone. Make the bad guy

CDS records created from ZSK records?

I've just noticed that in the last few days that "BIND 9.16.22 (Extended Support Version) " appears to be generating CDS records for both KSK ***and ZSK*** records! Nothing on my side has been changed although I do run automated updates. I'm on a Linux machine running Gentoo. $ dig DNSKEY

Re: CDS records created from ZSK records?

-- ... but until there is a trigger system so I can call code to do an EPP based KSK rollover to the parent, will keep what I've got as it (usually) works. On 1/25/22 12:58 AM, Mark Andrews wrote: On 25 Jan 2022, at 07:35, Mark Elkins wrote: I've just noticed that in th

Re: Can't modify an existing SPF record

There can only be one SFP TXT record per domain. A complete record could look like. domain1.com.  IN    TXT   "v=spf1 a:mail.domain1.com a:smtp.domain1.com a:relay.domain2.com -all" It should be logical to use a (domain) name because that name could have multiple IP addresses, both

Re: Facing issues while resolving only one record

To disable DNSSEC validation for a domain from the command line - I use:   dig +cd eportal.incometax.gov.in Works as expected. Better answer is to get them to fix the problem. On 2023/08/30 17:08, Bob McDonald wrote: Turning off validation for that domain

Zone stats

Hi, I'm writing some software to be able to read information from a Zone file. I am a legally authorised Secondary Authoritative Nameserver for a number of domains or rather zone files, eg. EDU.ZA (and others). Is there an easy way to:- 1) Count how many delegated domains there are (Names

Re: Zone stats

DNS" type library so shouldn't be difficult. Yes - this will go into a Database - etc.. On 2023/08/22 02:10, Timothe Litt wrote: (Sorry for the duplicate/reply without context).  See below. On 21-Aug-23 11:11, Mark Elkins wrote: Hi, I'm writing some software to be able to read

Re: DNSSEC signing of an internal zone gains nothing (unless??)

Hmmm - might be saying the wrong thing but... .SE was DNSSEC Signed waaay before the root, so if living in Sweden, one would prep your DNSSEC aware resolver with the DS Key of the .SE Zone. DNSSEC then worked for .SE domains. Perhaps do the same? I do get confused further down in this email

Re: 'inline-signing' might go away and be replaced by dnssec-policy ?

Yes - I think "automated" in-line signing would be useful in "dnssec-policy" run zones. We didn't need this some versions of BIND ago ( I had to add it recently on a zone that I've been testing with - untouched from a year or so ago) We don't generally edit the signed zone - just the

Re: DNSSEC adoption

I generally agree with you - comments in line On 8/3/22 5:56 PM, Peter wrote: I see a two-fold issue with DNSSEC: 1. The wide-spread tutorials seem to explain a key rollover as an exceptional activity, a *change* that is infrequently done. And changes, specifically the infrequent ones,

dnssec-policy - KSK rollover

Hi people, I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy I have put the following policy in my named.conf file:- dnssec-policy "ecdsa256-policy" {     signatures-refresh 5d;     signatures-validity 14d;     signatures-validity-dnskey 14d;     dnskey-ttl 3600;    

Re: dnssec-policy - KSK rollover

Parent. Personally I like to keep the CDS in the child zone, so you can see if the parent is in sync, that is why I implemented it in BIND 9 to keep the CDS. Best regards, Matthijs On 23-11-2022 18:24, Mark Elkins via bind-users wrote: Hi people, I have read https://kb.isc.org/docs/dnss

  1   2   >