As someone who has had to deal with the interaction between BIND and
AD-integrated DNS for most of my DNS career, I think it's important, from a
BIND perspective, to understand how a given AD-integrated DNS zone is used.
If clients are registering themselves in the AD zone, then there is going
to b
Actually I have one more question just to make sure I'm not overlooking
anything for the KSK rollover. The instructions here:
https://www.icann.org/dns-resolvers-checking-current-trust-anchors
say that I need to, in addition to setting validation to "auto" run:
rndc secroots.
Well, I did that a
On 08/23/2018 02:15 PM, Grant Taylor via bind-users wrote:
It's my understanding that MS-DNS servers hosting AD Integrated zones
are actually functioning as application layer gateways between DNS and
data that's stored in LDAP.
My AD Guy confirms that the DNS data for Active Directory Integrat
> On 24 Aug 2018, at 2:05 am, Paul van der Vlis wrote:
>
> Hello,
>
> Is it possible to sign the ZSK key permanently with the KSK key?
No. There is no way to signal this in a RRSIG.
> If yes: how to do that?
>
> In this way I could keep the KSK key offline.
>
> With regards,
> Paul van
On 08/23/2018 01:20 PM, Barry S. Finkel wrote:
Somehow, under the covers, AD synchronizes the zones so that they have
the same content.
It's my understanding that MS-DNS servers hosting AD Integrated zones
are actually functioning as application layer gateways between DNS and
data that's stor
On 8/23/2018 9:21 AM, Bob McDonald wrote:
This may be an unpopular opinion, especially on the BIND-Users mailing
list (sometimes BIND is not the best answer).
It sounds like you might want something like multi-master DNS servers
that Active Directory (with AD integrated zones) provides.
Here'
Paul van der Vlis wrote:
>
> Is it possible to sign the ZSK key permanently with the KSK key?
> In this way I could keep the KSK key offline.
The only(*) revocation mechanisms in DNSSEC are expiring signatures and
replacing keys. If you sign your DNSKEY records permanently, when anyone
manages to
Hello,
Is it possible to sign the ZSK key permanently with the KSK key?
If yes: how to do that?
In this way I could keep the KSK key offline.
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
___
Thanks Tony! This was very helpful.
On Thu, Aug 23, 2018 at 8:01 AM Tony Finch wrote:
> project722 wrote:
> >
> > 1) I am still seeing the "no valid signature found" messages in my
> > bind.log.
>
> > ;; validating ncentral.teklinks.com/A: no valid signature found
>
> In this case that's becaus
It looks like our named process is getting inturrupted when too many queries
come in. What I think I see is the main named process sitting on one CPU and
child processes on the others. We have 16 CPUs and 19 named processes. Looks
like everything is fine if the main process stays on a CPU, but
> This may be an unpopular opinion, especially on the BIND-Users mailing
> list (sometimes BIND is not the best answer).
>
> It sounds like you might want something like multi-master DNS servers
> that Active Directory (with AD integrated zones) provides.
Here's the Microsoft AD DNS explanation:
h
project722 wrote:
>
> 1) I am still seeing the "no valid signature found" messages in my
> bind.log.
> ;; validating ncentral.teklinks.com/A: no valid signature found
In this case that's because ncentral.teklinks.com is signed but there's no
DS in the parent zone, so it's insecure. If you run de
Hi Tony,
I've removed the config for managed keys out of my named.conf, moved any
files called bind.keys out from my named working directory, and restarted
Bind. I see where Bind created to files - managed-keys.bind and
managed-keys.bind.jnl. So, I think I'm on the right track. That said, two
thin
project722 wrote:
>
> In my named.conf I changed:
>
> dnssec-validation yes;
>
> to
>
> dnssec-validation auto;
Good :-)
Next thing to do is delete all trace of managed-keys or mkeys files or
trusted-keys configuration, then restart `named`. It will automatically
create managed-keys files with t
14 matches
Mail list logo
