Jordan Larson via bind-users wrote:
> All the dnssec configuration(s) only need to reside on the master then,
> correct?
Correct.
Björn Persson
pgpkzz0Ht2jQu.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
thi
r has the secret
keys. That way there's still a single consistent set of DNSKEY records.
If you need to give different answers to different clients, then you
configure separate views, and you must ensure that each client sees the
same view – including the same keys – on all DNS servers it can query
ight know the answer.
Björn Persson
pgpjOuTrGvzlY.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.or
Matthijs Mekking wrote:
> Please file a bug report:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4453
Björn Persson
pgpEviPQ3dVa_.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC fu
not supposed to do that, or is this a known bug, or do I need to
spend the time to write a detailed bug report?
Björn Persson
pgp6Y_w3DALQZ.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development
whose massive resources can absorb the onslaught. The only
real solution would be if the entire software industry would grow up
and stop shipping garbage that's easily hijacked and enrolled in
botnets.
Björn Persson
pgpT7nHwr3E8B.pgp
Description: OpenPGP digital signatur
--
Visit https://lis
Marco wrote:
> Try
> dig example.org +notcp to force a UDP lookup.
I find that I need to also use +ignore to prevent Dig from using TCP.
(That option has a very bad name.)
Björn Persson
pgpdJ4lEIrrnl.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/li
aks nsdiff. I recommend an explicit
"inline-signing no;" in each zone to prevent problems. Bind will then
not keep an unsigned version of the zone, and it doesn't need to when
all changes are made through dynamic updates.
Björn Persson
pgpZuA42cOsQH.pgp
Description: OpenPGP digital signa
Petr Špaček wrote:
> Please open an issue in our Gitlab:
Done:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4352
Björn Persson
pgp3GzBYDpAWV.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC fu
ent future breakage.
Björn Persson
pgp9vaX7mLCxI.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact
would be to query all of the servers listed
in the parent zone’s NS records *and* a validating resolver, and proceed
only when all of them return the updated DS record. Maybe that could be
a fourth choice for checkds?
Or, since BIND already knows how to do DNSsec validation, maybe just do
it?
Björ
infinite recursion? Must the validating resolver
be a different name server from the master server that performs the key
rollover?
Björn Persson
pgplF3UIHjjXW.pgp
Description: OpenPGP digital signatur
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
12 matches
Mail list logo