In message <1305003346.22233.1450165...@webmail.messagingengine.com>, "" writes
:
> hi,
>
> On Tue, 10 May 2011 14:50 +1000, "Mark Andrews" wrote:
> > Do you have dnssec-lookaside configured and if so how?
>
> no, i don't.
>
> DCh
ok.
"dig soa com"
"dig dnskey com"
"dig ds com"
--
Mark Andre
hi,
On Tue, 10 May 2011 14:50 +1000, "Mark Andrews" wrote:
> Do you have dnssec-lookaside configured and if so how?
no, i don't.
DCh
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
hi,
On Tue, 10 May 2011 14:48 +1000, "Mark Andrews" wrote:
> What does "dig DS adobe.com" return?
dig DS adobe.com
; <<>> DiG 9.8.0-P1 <<>> DS adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37646
;; f
In message <130403.6599.1450152...@webmail.messagingengine.com>, "" writes:
> Among numerous examples of folks running Bind9 in split-view mode
> similar to my config, I found this unanswered DNSSEC-related post,
>
> "DNSSEC Validating Resolver and Views"
> https://lists.isc.org/pipermail/
Do you have dnssec-lookaside configured and if so how?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
ht
Hi,
On Tue, 10 May 2011 13:52 +1000, "Mark Andrews" wrote:
>
> This sounds like you have configured 'must-be-secure ".";' which
> disables secure to insecure transitions within the must-be-secure
> namespace.
>
I'd not yet heard of that option. It's not present in my named.
Among numerous examples of folks running Bind9 in split-view mode
similar to my config, I found this unanswered DNSSEC-related post,
"DNSSEC Validating Resolver and Views"
https://lists.isc.org/pipermail/bind-users/2010-March/079166.html
which seems, at least, similar to the issue I'm seeing,
This sounds like you have configured 'must-be-secure ".";' which
disables secure to insecure transitions within the must-be-secure
namespace.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNE
hi,
On Mon, 09 May 2011 20:11 -0700, "Doug Barton"
wrote:
> ...
> the fact that un-signed domains aren't returning data either is a problem.
that's not returning DATA *and* reporting a SERVFAIL. not sure if
they're one and the same issue.
> Split the features you described above into
> separ
On 05/09/2011 19:32, dchilton+b...@bestmail.us wrote:
Hi.
My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
as DNSSEC-valid.
I've both internal and external views:
-- internal is authoritative and provides recursion for LAN clients
-- external serves only as an authoritati
Hi.
My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
as DNSSEC-valid.
I've both internal and external views:
-- internal is authoritative and provides recursion for LAN clients
-- external serves only as an authoritative hidden-primary feeding
slaves via AXFR.
all good.
i
Marc Lampo wrote:
> Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ...
>
> 4 DS's in total,
> for each KSK 1 DS with SHA-1, one with SHA-2
> for one KSK, the algorithm used was changed from 5 to 8.
As I understand it the problem that Stephane reported occurred when the
sing
On Mon, May 09, 2011 at 03:33:21PM +0200,
Marc Lampo wrote
a message of 38 lines which said:
> 4 DS's in total,
> for each KSK 1 DS with SHA-1, one with SHA-2
> for one KSK, the algorithm used was changed from 5 to 8.
If I understand well, you have two KSK. In that case, yes, it should
work (
Sorry, I still cannot confirm the problem with Bind 9.7.3-P2 version ...
4 DS's in total,
for each KSK 1 DS with SHA-1, one with SHA-2
for one KSK, the algorithm used was changed from 5 to 8.
(I needed to do extra change of output of "dnssec-dsfromkey",
because that tool calculates the keyid and
On Mon, May 09, 2011 at 02:37:04PM +0800, Jeff Pang wrote:
> which port is used by BIND for nsupdate?
> Is tcp port 53 or 953 on localhost?
At least two wrong assumptions are in this question.
Excerpt from nsupdate(8) man page:
"By default, nsupdate uses UDP to send update requests to the
So far - no SHA-2 records. Only DS records with SHA-1.
I'll add DS records with SHA-2 and try again ...
So the "error" of the mismatched must be in the SHA-2 DS records ?
And *not* in the SHA-1's ? Or in both ?
Kind regards,
Marc
-Original Message-
From: 'Stephane Bortzmeyer' [mailto
On Mon, May 09, 2011 at 01:00:03PM +0200,
Marc Lampo wrote
a message of 47 lines which said:
> 1 correct DS record,
> 1 DS record, correct in everything but the algorithm
And one DS record hashed with SHA-1 and one hashed with SHA-2? This
was necessary to trigger the problem, because of RFC
On Mon, May 09, 2011 at 01:41:08PM +0200,
Marc Lampo wrote
a message of 28 lines which said:
> So the "error" of the mismatched must be in the SHA-2 DS records ?
Yes.
> And *not* in the SHA-1's ? Or in both ?
RFC 4509 section 3 gives a strong priority to SHA-2. So, there is no
symmetry: th
Hello,
Just tried with Bind 9.7.2-P3 (in our course environment for our DNSSEC
workshop).
I can *not* confirm this behaviour there :
1 correct DS record,
1 DS record, correct in everything but the algorithm
--> validating caching name servers nicely return answers with "AD" bit
set.
All name se
On Mon, May 09, 2011 at 02:37:04PM +0800,
Jeff Pang wrote
a message of 14 lines which said:
> which port is used by BIND for nsupdate?
53 by default, the standard port. nsupdate is for Dynamic Update,
which uses the regular DNS protocol (unlike rndc which uses a BIND
proprietary protocol).
_
In message , Jeff Pang writ
es:
> Hello,
>
> which port is used by BIND for nsupdate?
> Is tcp port 53 or 953 on localhost?
Port 53.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
__
On Fri, May 06, 2011 at 12:45:17PM +1000,
Mark Andrews wrote
a message of 52 lines which said:
> Once the parent zone is signed and is accepting DS/DNSKEY records
"is accepting" is not sufficient. Many TLD are managed in a strict
registry/registrar fashion which means that it is not enough f
22 matches
Mail list logo
