Re: DNSSEC not populating parent zone files with DS records

2011-10-01 Thread Michael Sinatra
On 10/01/11 04:54, Bill Owens wrote: On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote: In our initial implementation of DNSSEC, we chose to try out the "auto" functionalities in version 9.8.0 P4 ie. using "auto-dnssec maintain" in all master zones. When going live, we found t

Re: ZSK pre-publish

2011-10-01 Thread CT
On 10/01/2011 04:40 AM, Matthew Seaman wrote: On 01/10/2011 09:25, CT wrote: I have a few static zones that I sign via script keydir = directory for both KSK and ZSK $zone = zone file /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone Fetching KSK 4054/RSASHA256 from key r

Re: DNSSEC not populating parent zone files with DS records

2011-10-01 Thread Bill Owens
On Fri, Sep 30, 2011 at 10:26:34PM +, Raymond Drew Walker wrote: > In our initial implementation of DNSSEC, we chose to try out the "auto" > functionalities in version 9.8.0 P4 ie. using "auto-dnssec maintain" in > all master zones. > > When going live, we found that though all zones that we a

Re: ZSK pre-publish

2011-10-01 Thread Matthew Seaman
On 01/10/2011 09:25, CT wrote: > >> I have a few static zones that I sign via script >> keydir = directory for both KSK and ZSK >> $zone = zone file >> /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone >> >> >> Fetching KSK 4054/RSASHA256 from key repository. >> Fetching ZSK

Re: ZSK pre-publish

2011-10-01 Thread CT
I have a few static zones that I sign via script keydir = directory for both KSK and ZSK $zone = zone file /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone Fetching KSK 4054/RSASHA256 from key repository. Fetching ZSK 36948/RSASHA256 from key repository. Fetching ZSK 653

ZSK pre-publish

2011-10-01 Thread CT
I have a few static zones that I sign via script keydir = directory for both KSK and ZSK $zone = zone file /usr/local/sbin/dnssec-signzone -S -g -a -H 10 -3 $SALT -K keydir $zone Fetching KSK 4054/RSASHA256 from key repository. Fetching ZSK 36948/RSASHA256 from key repository. Fetching ZSK 65304

Re: DNSSEC not populating parent zone files with DS records

2011-10-01 Thread Casey Deccio
On Fri, Sep 30, 2011 at 6:16 PM, Hauke Lampe wrote: > Aside from the missing DS, I don't see why BIND complains about the > NXDOMAIN response at first and then returns that cached record set in > response to later queries for the same name. dig +sigchase validates it, > if provided with the nau.e