Re: procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?

Just reload the server. -- Mark Andrews > On 20 Oct 2022, at 01:45, PGNet Dev wrote: > > running > >bind 9.18.7 > > i've enabled dnssec-policy signing > > current KSK & ZSK keys had been generated with > >dnssec-policy "prod01" { >... >nsec3param iterations 5

procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?

running bind 9.18.7 i've enabled dnssec-policy signing current KSK & ZSK keys had been generated with dnssec-policy "prod01" { ... nsec3param iterations 5 optout no salt-length 8; ... } noting Change default for

Re: Question About Internal Recursive Resolvers

On 18.10.22 09:23, Bob McDonald wrote: There are no outside clients. In this example, I'm only discussing inside clients on inside DNS. The recursive resolvers that ALL inside clients connect to will seek responses from the DNS root servers AFTER determining that the response can not be

Re: CVE-2022-2795

Hi Greg. Short answer: no. Slightly less short answer: no, if you prevent the server from trying to follow delegations. It's that potentially wild goose chase that was the problem. In short: - Forwarding must cover everything the server needs to do (that isn't locally defined) i.e. global

Secondary zone is only using the first listed primary

Hi list. I have a BIND server that is acting as a secondary to replicate a zone from SpamHaus/Deteque, which is then used internally as a Response Policy Zone. This had been working fine for several years, but recently I noticed that BIND was reporting that the zone had expired. When I