Re: Capabilities and limitations of catalog zones
On 2/9/2022 2:36 AM, Tony Finch wrote: John Thurston wrote: Are we not able to use catalog zones to propagate zone-configuration for anything other than 'master' zones? > It is only for configuring authoritative secondary zones. That's unfortunate, but thanks for the confirmation. I had been looking forward to making this work :( We have only a couple of authoritative zones, but over 60 forward zones. And I expect far more growth and complexity in forward zones than in our authoritative zones (thanks to "cloud", and split private/public name-spaces). At least I now know to draw a line through "catalog zones", and pursue other distribution options. -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec: ds showing hidden 3+ days after key roll
Hi Larry, Without more information it is hard to tell what is going on. Can you share your dnssec-policy and the contents of the key state file? And if you have useful logs (grep for keymgr) that would be handy too to see what is going on. If you prefer to share them off list, you can mail them me directly. Best regards, Matthijs On 08-02-2022 18:00, Larry Rosenman wrote: Greetings, new poster. I just converted over to DNSSEC-policy, and rolled my KSK. I see: key: 269 (RSASHA256), KSK published: yes - since Sun Feb 6 14:31:32 2022 key signing: yes - since Sun Feb 6 14:31:32 2022 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - ds: hidden - key rrsig: omnipresent ler in thebighonker in namedb on master [!] as 慄 ❯ Is it normal to see the ds as hidden? It IS published, and I told rndc that. Any insight appreciated. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Capabilities and limitations of catalog zones
John Thurston wrote: > Are we not able to use catalog zones to propagate zone-configuration for > anything other than 'master' zones? It is only for configuring authoritative secondary zones. You are right that this isn't completely clear in the documentation, uless you read the whole section carefully (it is not stated explicitly in the section's introduction). https://bind9.readthedocs.io/en/v9_16_25/advanced.html#catalog-zones Tony. -- f.anthony.n.finchhttps://dotat.at/ Rockall, Malin, Hebrides, Bailey: West, becoming cyclonic, 7 to severe gale 9, occasionally storm 10 except Malin, becoming north or northwest 5 to 7 later. High or very high, occasionally very rough later. Squally wintry showers. Moderate or poor. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Capabilities and limitations of catalog zones
That's right, catalog zones are for synchronizing the list of zones served by the primary, so that the secondaries can retrieve those zones using AXFR/IXFR. You can't even use "allow-transfer" on a forward zone, so it is not meant to be transferred to secondaries. A couple of observations about your configuration: > version IN TXT "2" Currently BIND supports only version "1", though it is not being enforced at this moment. > forwarders { 10..11.12.13; }; BIND shouldn't even start with this invalid IP address (two dots). -- Aram -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users