RHEL, Centos, Rocky, Fedora rpm 9.16.33

2022-09-21 Thread Carl Byington via bind-users 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

https://www.five-ten-sg.com/mapper/bind contains links to the source
rpm, and build instructions. This .src.rpm contains a .tar.gz file with
the ARM documentation, so the rpm rebuild process does not need sphinx-
build and associated dependencies.

-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCYyvoWxUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsFzSACeKcDrYYkIYw3WoAtJPpQ5ni8HZf8A
n3Qo5b9ywnGAeTBBvABuaYd5EB3v
=qdVy
-END PGP SIGNATURE-



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is there an rndc command to get the list of configured zones?

2022-09-21 Thread Tony Finch 
Klaus Darilion via bind-users  wrote:

> I checked all options of rndc to get the list of zones configured/served by 
> bind - but I can't find any.
> Is it really not possible to get this list from a running Bind process?

The statistics channel is your friend when rndc lets you down. Below I
have pasted a wee script I have lying around, or you might like JP Mens'
bzl program https://github.com/jpmens/bzl
https://jpmens.net/2010/10/21/using-binds-statistics-server-to-list-zones-and-axfr-the-list/

#!/bin/sh

case $# in
(1) ;;
(*) echo 1>&2 'usage: lszones [:port]'
exit 1
esac

curl -Ssf http://$1/json |
jq '.views |
to_entries |
.[] |
.key as $view |
.value.zones[] |
"\($view) \(.type) \(.serial) \(.name)"
'

-- 
Tony Finch(he/they)  Cambridge, England
Fair Isle, Faeroes: South or southwest 5 to 7. Moderate, occasionally
slight, becoming moderate or rough. Occasional rain and fog patches,
showers later in Faeroes. Moderate or good, occasionally very poor.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DS keys with 2 digest algorithms

2022-09-21 Thread Petr Špaček 

On 20. 09. 22 20:32, frank picabia wrote:


The algorithm migration I made to 8 has worked well.
Getting green lights on DNSSEC checkers, etc.

The only odd bit is some warnings at DNSVIS.NET 
about DS records using digest algorithm 1.

DNSSEC specification prohibits signing with DS records that use digest 
algorithm 1 (SHA-1).


Somehow the way I do the zone signing results in 2 pairs of DS
records - one with digest algorithm 2 and one with algorithm 1.

This is the command I've been running lately:

/sbin/dnssec-signzone -A -3 - -N keep -o mydomain.ca 
 -t -f forward/mydomain.ca.signed 
forward/mydomain.ca 


As per the howtos I followed years ago, I've provided the domain registrar
with both DS key records (one key number, two digest algorithms).

mydomain.ca . IN DS 20084 8 1 
42419294EC592BFE044D256126F0420212E4E619
mydomain.ca . IN DS 20084 8 2 
827039A146CD8CD4528627BCB1351219FA7C36CFA54F702F2592047DEFE9C416


mydomain.ca does exist but does not show the warning you describe, so I 
suppose you are not telling us the real domain name.


If you want help for your specific domain please follow advice given here:

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

TL;DR post the real domain name.


In the diagram at DNSVIS.NET , it looks like the DS 
with alg 1
is dangling at the top level domain (.ca) with the yellow warning as per 
above,

while the alg 2 links to my domain's DNSKEY properly.

How should I tidy up this digest algo 1?  Do I simply remove it at the 
domain registrar,

or is there a better way to run dnssec-signzone?


Well _maybe_ you can simply drop the DS algo 1, but we cannot be sure 
without checking on the real domain name.


--
Petr Špaček

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users