numerous nsec3 bad cache hits

2014-10-29 Thread Antonio Querubin
e hit (fema.net/DNSKEY) I'm guessing this is some kind of brute force attack on BIND trying to take advantage of a broken dnssec configuration for fema.net? The problem is that the syslog is filled with these messages. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...

Re: A record of domain name must be name server ?

2014-09-11 Thread Antonio Querubin
e supposed to be ignored (except for RRSIG, etc) once the CNAME exists. Ie. the MX and NS RRs exist only for example.com, but not www.example.com. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com ___ Please v

Re: Serial numbers for inline signing

2013-12-18 Thread Antonio Querubin
-- it shouldn't be listed in the NS RRset for the zone, and a consistency check should ignore it. No, the slaves don't do any signing, just the master. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com ___ Please

Re: Serial numbers for inline signing

2013-12-18 Thread Antonio Querubin
On Wed, 18 Dec 2013, Alan Clegg wrote: On Dec 18, 2013, at 11:05 AM, Antonio Querubin wrote: Is there a way to keep the serial numbers synced between the primary and slaves for auto-maintained zones? Every once in a while the primary and slaves somehow get out of sync and the logs start

Re: Serial numbers for inline signing

2013-12-18 Thread Antonio Querubin
sanity checkers. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com On Dec 18, 2013, at 10:17 AM, Thomas Schulz wrote: > I have a question about the serial number as modified by inline signing. > I have a static zone, adi.com, that I am setting up for dnssec. I

Re: dig and IPV6 server

2013-08-26 Thread Antonio Querubin
On Mon, 26 Aug 2013, hugo hugoo wrote: C:\dig>dig @fe80::a6b1:e9ff:fe68:c8 www.google.be dig: couldn't get address for 'fe80::a6b1:e9ff:fe68:c8': address family not supported Try adding the interface to the link-local, eg.: dig @fe80::a6b1:e9ff:fe68:c8%eth0 www.google.be

tools for searching/removing stale keys

2011-02-24 Thread Antonio Querubin
Has anyone come up with scripts/tools for removing stale zone-signing keys but leaving key-signing keys which are in the same directory alone? Antonio Querubin e-mail/xmpp: t...@lava.net ___ bind-users mailing list bind-users@lists.isc.org https

need to disable dnssec for pseudo TLD zone

2010-10-27 Thread Antonio Querubin
ed from various spam BL repositories. Is there a way to disable dnssec validation on a per-zone basis for internal pseudo TLDs? Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: t...@lava.net ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users