Re: rndc reload has no effect?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/31/11 8:09 AM, Ken Peng wrote: Today I setup a new name system, BIND 9.7.3 with multi-views, zone transfer are going based on different TSIG-Keys. I have found a strange problem that when I edited the zone file, anded a record, increased the serial number, then run rndc reload, but nothing is happened. the new added record can't be queried on both the master and the slaves. It seems rndc reload doesn't make effect on views with TSIG-Keys? Please help, thanks. Hello Ken, this might be a problem of multiple instances of BIND running. Check with ps aux | grep named if you have more than one BIND process. - -- Carsten -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk7+1ccACgkQsUJ3c+pomYGcvACfbDVXDKlYZUapJTosXIV0SB5u ZZYAmKpmEX3rwekYGpCIuQYre7kW5sY= =ygZC -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Take your DNSSEC with a grain of salt ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, because it was a recurring question in the ISC/Men Mice DNSSEC trainings this year, I've taken some time to write down my knowledge on NSEC3 use of the salt and iteration parameters: http://strotmann.de/roller/dnsworkshop/entry/take_your_dnssec_with_a Please let me know if you find something missing or wrong. Happy new year 2012 to all DNS admins out there - -- Carsten -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7+2l8ACgkQsUJ3c+pomYHb8ACeKIqb33q1z5Af45YpfEDwlfsG Rx8An14+czuhe9Gxj85rMqkUeiFOMIwS =ZvxX -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Take your DNSSEC with a grain of salt ...
I've taken some time to write down my knowledge on NSEC3 use of the salt and iteration parameters: http://strotmann.de/roller/dnsworkshop/entry/take_your_dnssec_with_a Thanks, Carsten. This is a very clear, concise, and informative article. Given the recommendation to change NSEC3 salt values with each ZSK rollover, I would like to make the following suggestion for bind9 and bind10. Enhance bind9 dnssec-keygen (and whatever the equivalent turns out to be for bind10) to include a random or specified salt as part of the key metadata. When the key activation date/time is reached for NSEC3 zones, automatically modify the NSEC3PARAM record and regenerate the NSEC3 chain with the new salt value. Happy New Year to all. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users