Re: Specifying NSEC3 salt with dnssec-policy

2024-09-30 Thread Matthijs Mekking
Hi Klaus, With dnssec-policy you can specify the salt length, not a specific salt. You can still use dnssec-signzone -3 to manually set a salt. Best regards, Matthijs On 9/30/24 22:38, Klaus Darilion via bind-users wrote: Hello! With "auto-dnssec maintain;" I was used to specify the NSEC3 s

Re: Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

2024-09-30 Thread Terik Erik Ashfolk
Please scratch the below line previous post. Upon detail look, they have Multi-Master support, but not with DNSSEC support. On 9/30/24 4:00 PM, Terik Erik Ashfolk wrote: I think i've seen another project Seen few other project also doing similar -- Visit https://lists.isc.org/mailman/listin

Re: Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

2024-09-30 Thread Terik Erik Ashfolk
Hi Mark. THANK YOU. sorry for delayed response. I understood some of your response better after Matthijs also mentioned your mail-post. I need to look into DNSSEC activity flow again, i'm sure there are changes since my last works on these, 5 years back. Main domain is "example.com" ┌

Re: Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

2024-09-30 Thread Terik Erik Ashfolk
Hi Matthijs. THANK YOU. This "MUSIC" tool is indeed appears to be most suitable assisting addon tool for BIND to support MULTI-SIGNER MODEL-2 (aka MULTI MASTER/PRIMAR)Y DNS NAME SERVER, at this moment. I think i've seen another project Seen few other project also doing similar I regret, i d

Re: Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

2024-09-30 Thread Terik Erik Ashfolk
Hi Matthew. THANKS. For HA (High-Availability), my 3 providers/nameservers will always stay online. you are right, i'm applying high change rate in zone. Ofcourse, now i dont have many users. Project is in early/development stage. But, project is geared to have many users, thus why i mentioned

Specifying NSEC3 salt with dnssec-policy

2024-09-30 Thread Klaus Darilion via bind-users
Hello! With "auto-dnssec maintain;" I was used to specify the NSEC3 salt with 'rndc signing -nsec3param'. Today I used the "dnssec-policy" and I failed to specify the salt manually. Are there any tricks/workarounds to manually specify the NSEC3 salt? I know that actually the salt should be "-"

Some Statistics Channel Cache Memory Stats either at 0 or accumulating

2024-09-30 Thread Jason Creviston
I've noticed TreeMemTotal seems to be ever-increasing, while TreeMemMax and HeapMemMax remain at 0. I didn't find any related fixes in the newer versions of 9.18, 9.20, or 9.21. Just started keeping track of stats via the JSON API. Running BIND 9.18.28 on Ubuntu 22.04. HeapMemTotal and HeapMem

Re: Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

2024-09-30 Thread Matthew Pounsett
On Sat, Sep 28, 2024 at 11:13 AM Terik Erik Ashfolk wrote: > > But 1024 or 2048 bit RSA key-pairs are considered weak. > Those are considered weak for _encryption_ because of the risk of future decryption of secrets. The window for someone to brute force your keys and fake signatures with a lim