Constant errors concerning in-addr.arpa SOA (insecure response)

Hello all, I've searched the list - and there is a thread from 7 years ago that seems to match what I am seeing: https://lists.isc.org/pipermail/bind-users/2013-March/090003.html I am seeing this on a fresh Debian 10 install, using the Debian bind9 packages (specifically as of this moment I

Re: Constant errors concerning in-addr.arpa SOA (insecure response)

Sorry to self reply - I *think* I figured this out. Looks like the messages I was seeing (at least to my eyes) make this seem like a true failure in the chain of recursion/validation. Looks like it’s more benign - misconfigured auth servers for various in-addr.arpa zones hading out

nsupdate - adding large/split TXT record (2048 bit DKIM key)

Hello, Can anyone point me to an example of how to do this ? I have a script that rotates my DKIM keys, and uses nsupdate to publish. With 1024 bit - I must be getting by by the skin of my teeth… When I try 2048 bit, the record is obviously longer. All of my attempts of running it through

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

Done: https://gitlab.isc.org/isc-projects/bind9/-/issues/1907 Thanks. > On Jun 1, 2020, at 7:08 AM, Ondřej Surý wrote: > > I think it’s reasonable for nsupdate to do the chunking on itself. Patches > are always welcome, but if you

Re: nsupdate - adding large/split TXT record (2048 bit DKIM key)

> On Jun 1, 2020, at 6:50 AM, Andreas S. Kerber wrote: > > Yeah, I had troubles with those 2048 bit DKIM records too. nsupdate will need > it like this: > > server X.X.X.X > zone ag-trek.de > update add test.ag-trek.de. 86400 IN TXT"v=DKIM1; >

9.16.27 (Raspberry PI package) - memory usage

Hello, I have an rPi here at home running as a second DNS server to my main (non-rPi) bind instance. The pi unfortunately only has 1G ram. I’ve set max-cache-size to 50% and verified it took effect: root@ns2:~# grep size /var/log/daemon.log May 1 12:38:23 ns2 named[6295]:

parental-agents clause - IP address only ?

Hello all, So I set up parental-agents lists for my zones, and actually got to see it work (awesome !). bind detected the parent DS records and acted accordingly. However, I currently have these lists configured using the IP (v4 only at the moment) addresses of the parent NS’es. I tried

Re: parental-agents clause - IP address only ?

> On Dec 5, 2022, at 4:06 AM, Matthijs Mekking wrote: > > 'parental-agents' work the same as 'primaries'. It only supports addresses. > > Listing them as domain names would technically be possible to implement, but > it requires an authoritative server to act as an resolver. Adding resolver

Re: How to remove RR from dnssec policy signed zone ?

> On Dec 15, 2022, at 11:31 PM, Mark Andrews wrote: > > Stop freezing the zone. Use nsupdate to update the zone. Add a record back > in at the name using nsupdate. Then remove using nsupdate. If you really > want to edit the zone by hand use ‘inline-signing yes;’. > Yes, this is exactly

Re: dnssec-policy - any way to force bind to resign all records ?

Sorry to self-reply… I’m still getting used to dnssec-policy. With the RRSIGs directly in the zone file now I was having some trouble. I think I got it now - I needed to change the TTL on a given RR, and delete the RRSIG for that RR. Lather, rinse, repeat for any/all other RR’s. BIND will

How to remove RR from dnssec policy signed zone ?

* Sorry to spam the list guys, just really pulling my hair out with some aspects of this migration I’ve done... Seems like a simple question ? And maybe it is but I’m just way off track. I have a DNSSEC signed zone (dnssec-policy). It’s also dynamic. So to make a change (in this case remove

dnssec-policy - any way to force bind to resign all records ?

Hello, I changed one of my domains over to dnssec-policy today (in a “nuclear” fashion) - but everything went surprisingly well. Previous to this, I had lowered all my TTLs to hopefully help with this process or any errors/mistakes I might make. I then went to put the TTLs back to their

Migrating to dnssec-policy - existing "stack" of future keys ?

Hello, I’m wanting to go ahead and look at migrating to dnssec-policy for my zones. I currently use “auto-dnssec maintain” and “inline-signing yes”. I also have a “stack” of ZSKs I made that all nicely overlap with their various date settings. I think I made these out to sometime in 2024.

Re: dnssec-policy - CSK rollover help

> On Nov 21, 2022, at 3:29 AM, Matthijs Mekking wrote: > > Hi, > > It is hard to see what the problem is without any configuration or state > information. Also, log level debug 3 gives you probably more useful logs when > investigating a problem. > > Can you share (privately if you wish)

Re: Struggling with dnssec-policy timers

Thanks for the reply and info… I would have thought the CDS would be published before the key went active. I.e. there would be a period of TWO DS’es at the parent (I’m assuming the parent supports CDS/CDNSKEY which mine (registrar) does). Since the new key goes active, CDS is published, and

Re: Struggling with dnssec-policy timers

> On Nov 28, 2022, at 3:12 PM, vom513 wrote: > > Thanks for the reply and info… > > I would have thought the CDS would be published before the key went active. > I.e. there would be a period of TWO DS’es at the parent (I’m assuming the > parent supports CDS/CDNSKEY

isc.org - error on KB article

ISC folks: can someone take a look at: https://kb.isc.org/docs/dnssec-key-and-signing-policy Seems one of the examples has a “-when” argument to rndc and the time is “1w” rndc seems to want MMDDHHMMSS (UTC) instead. Thanks. -- Visit https://lists.isc.org/mailman/listinfo/bind-users

Struggling with dnssec-policy timers

Hello all, I’m still having a really hard time understanding and getting my timings right. At least I think I am (from the way I’m reading the status/logs/state files). I let my current CSK get completely “omnipresent” for all it’s timers (I’m not even sure if this is really necessary…) I

dnssec-policy - CSK rollover help

Hello, So I reconfigured one of my domains to use dnssec-policy. I’m using the policy “default” + I’ve only added nsec3 stuff. All other timers / params are from default. Working fine / as expected. Luckily for me this is a domain that I don’t use much. So outages and mistakes are easily

Re: Determine parental-agents automatically

rate a file per parent zone, and $INCLUDE it where needed. https://github.com/vom513/vom-scripts/tree/master/generate-parental-agents You will likely need to change some of the variables near the top to suit your needs. Also you may want to comment out the end parts that do the diff and emaili

checkds - min. version for this ?

Hello all, I could have sworn I saw mention on this list at some point of this (just can’t find it in the archives). I currently run a 9.18.x BIND and I use parental agents for automatic key rollover. I have a script that builds these and I included them in my config. From what I read on: