Dear Admin,
Has anybody implemented DNSSEC on IPv6 reverse zones?
Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND
9.17.16+CentOS 7.9.
With Thanks & Regards
Divya
___
Please visit https://lists.isc.org/mailman/listi
You do it exactly the same as any other zone. You create DNSKEYs. You sign the
zone. You add DS records to the parent zone.
--
Mark Andrews
> On 18 Nov 2021, at 20:28, Divya wrote:
>
>
> Dear Admin,
>
> Has anybody implemented DNSSEC on IPv6 reverse zones?
> Kindly help us to configure
And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC.
One suggestion though. When one signs an IPv4 reverse - use NSEC - as
everyone can guess what is there anyway.
With IPv6 - you might want to use NSEC3 - as there can be huge holes in
the reverse zone. Make the bad guy
Hello
št 18. 11. 2021 o 10:28 Divya napísal(a):
> Dear Admin,
>
> Has anybody implemented DNSSEC on IPv6 reverse zones?
> Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with
> BIND 9.17.16+CentOS 7.9.
>
> With Thanks & Regards
> Divya
>
I can confirm working DNSSEC for I
On 11/18/21 3:14 AM, Mark Elkins wrote:
With IPv6 - you might want to use NSEC3 - as there can be huge holes in
the reverse zone. Make the bad guy work at guessing what is in the zone.
Be mindful of current efforts for minimizing NSEC3 rounds / iterations
which purportedly have a diminishing R
I wanted to provide enhanced recursive DNS to (internal) clients on an
"opt in" basis, which is to say that clients could choose whether or not
to receive enhanced replies based on what they configured as their local
caching resolver. The enhanced services come in the form of a Response
Policy Zone
match-destinations ?
---
>From an Android device, using BlueMail, which forces top-posting.
On 18 Nov 2021, 20:40, at 20:40, Fred Morris wrote:
>I wanted to provide enhanced recursive DNS to (internal) clients on an
>"opt in" basis, which is to say that clients could choose whether or
>not
>to
Fred Morris wrote:
>
> Didn't see any reason that it had to be separate instances of BIND,
> thought maybe I could do it with views, but I've run into a couple of
> roadblocks:
>
> 1. listen-on isn't supported in views.
Right, listen-on is for the server as a whole.
To control which view is used
Look in to "match-destination" in a view, i.e.
acl abcd.anycast {
10.10.10.1;
};
view "abcd" {
match-clients {
any;
};
match-destinations {
abcd.anycast;
};
...
};
The response-policy definition (and associated zone) can
Thanks for the encouragement folks, I forged ahead and I've got a
different error now:
"response-policy zone 'rpz1.m3047.net' for view standard is not a
master or slave zone"
That's the final denoument. There are several intermediate steps, such
as moving all zone definitions into the vie
On Thu, Nov 18, 2021 at 04:06:01PM -0800, Fred Morris wrote:
> Thanks for the encouragement folks, I forged ahead and I've got a
> different error now:
>
> "response-policy zone 'rpz1.m3047.net' for view standard is not a
> master or slave zone"
>
> That's the final denoument. There are s
Hello Richard,
"Parkin, Richard (R.)" writes:
Hello!
We recently re-addressed some of our external-facing cache
servers into a new network and discovered that our IPs
appear to be blackholed going to certain third-party auth
servers, either intentionally or unintentionally. Our
workarou
Hi,
how can a BIND 9 operator detect an DNSTAP overload condition?
My understanding is that BIND 9 worker threads write DNSTAP
information
into a circular buffer in memory, which is that read by a
different
thread to write out the data (to file or socket).
Is there any indication to the user
13 matches
Mail list logo
