Re: filter-a and dns64 in a ipv6-only network

> On Jan 31, 2023, at 15:27, Thomas Schäfer wrote: > > Am Dienstag, 31. Januar 2023, 20:03:42 CET schrieb Marco: > >> >> Why would it make sense to block them? > > Avoiding wrong decisions by "happy eyeballs" - probably the same rare reasons > why isc introduced the filter yeas ago - in

Re: RFC7344 (was: Funky Key Tag in AWS Route53 (2)) (2)

On Dec 29, 2022, at 16:34, Timothe Litt wrote: Yup, Eric's case was a classic example. He tried to do the right thing, put in the wrong record, and the system didn't produce the expected results. To his credit, he persisted. Most people don't. A while ago there was a study

Re: Funky Key Tag in AWS Route53 (2)

I understand all the tools and output. The error I was trying to find is why they disagreed and checking all the points along the way. Thanks for your scripts. Anyways, for GoogleFu, I got it fixed and it works correctly now thanks to

Re: Funky Key Tag in AWS Route53 (2)

Yeah, that’s the problem I’m trying to solve. I run the key thru dnssec-dsfromkey and get 32686, When I put the key in to Route53, I get 22755 from the decoded DS record in the console for Route53. That’s why I wanted to decode the DS record to see if it’s encoding it as 32686 or 22755 > On

Funky Key Tag in AWS Route53

I’m running bind 9.18.10 and having a hell of a time with AWS Route53 and DNSSEC. I’m testing dnssec-policy and have algorithms 8, 13, and 15 set. On the test domain I’m using, I wiped the old keys, deleted the DS records in the parent zone and basically started from scratch. I started named

Re: key dir massive

> On Dec 22, 2022, at 09:32, Matthijs Mekking wrote: > > > I hope you have read our KB article on dnssec-policy before migrating: > > https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy > > It should list the main pitfalls to save you a lot of hassle (I suspect you > started

Re: Odd problem with DoH and DoT

um.com <https://ekgermann.medium.com/> Twitter: @ekgermann Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712 GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1 > On Oct 6, 2022, at 19:02, Eric Germann via bind-users > wrote: > > I

Odd problem with DoH and DoT

I’m having a really weird issue with 9.18.3 When I connect with OpenSSL to this particular server, I get two different server certs Here is my requisite configs listen-on port 53 { any; }; listen-on port 443 tls local-tls http local-http-server {

Re: Adding a new domain with DNSSEC

Are you missing a left paren before "1-16”? Eric Germann ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com LinkedIn: https://www.linkedin.com/in/ericgermann Medium: https://ekgermann.medium.com

Re: what is wrong with DNS name 'covid19booster.healthservice.ie' ? : Google : what is Google's secret DNS service ?

Why not as a stopgap to protect your human rights, use you phone as a hotspot? Cheaper than suing everyone Eric > On Jan 8, 2022, at 11:17, Stephane Bortzmeyer wrote: > > On Sat, Jan 08, 2022 at 04:55:24PM +0100, > Stephane Bortzmeyer wrote > a message of 52 lines which said: > >> This

Reloading new certs for DNS over HTTPS

I’ve implemented DNS over HTTPS on two of my servers to get some experience. I’m using LetsEncrypt for the cert issuer. I ran in to an issue where it appears named only reads them on init. The cert expired and certbot faithfully renewed it, but was using the old cert it read at

Re: Contents of bind-users digest...

the >> whole environment setup. some don't build it all the time. >> >> >> I'll give ISC Five Stars on Google!  >> >> >>>> On 6 Jul 2021, at 05:56, Eric Germann via bind-users >>>> wrote: >>> >>> Has IS

dig standalone source?

Has ISC given any thought to releasing dig as a separate source package? It’s good for testing DoH, but you need to build the entire bind package to get it. It would be useful for support analysts without the overhead of compiling all of bind to get it --- Eric Germann ekgermann {at} semperen

Re: Compiling bind 9.17.15 with alternate OpenSSL library

>> >>> There’s no such option to configure. >>> >>> Ondřej >>> -- >>> Ondřej Surý — ISC (He/Him) >>> >>> My working hours and your working hours may be different. Please do not >>> feel obligated to reply outside your n

Re: Compiling bind 9.17.15 with alternate OpenSSL library

tory. > > There’s no such option to configure. > > Ondřej > -- > Ondřej Surý — ISC (He/Him) > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > >> On 5. 7. 2021, at 18:2

Compiling bind 9.17.15 with alternate OpenSSL library

I’m in the process of building a custom version of bind with DoH and would also like to add DNSSEC algorithm 15 for experimental purposes DoH works just fine on the servers I have configured. My “configure" command is ./configure --with-openssl=../openssl-1.1.1k --with-libxml2 --with-json-c

Re: Odd A record in our hosts zone file

Time to live in the cache. Short time to live is useful when you need to change the A record to swing one host to another. > On Jun 25, 2021, at 12:56, Bruce Johnson wrote: > > I ran across these A records in one of our zone files: > > ;EXCHANGE STUFF > mail1m IN A

Re: 9.11 to 9.16: need directions

bind doesn’t support @ signs for the email contact. It would be root.rn6.xyz.local Line 15, missing the class (IN)? DeadStick IN A 192.168.255.156 > > INTXT"310702541c5622d0e6001136bd71a6578b" --- Eric Germann ekgermann {at} semperen {dot}

named reload and HTTPS certs

There’s been some great discussion lately on enabling DoH with LetsEncrypt certs. My question is this: If I renew the cert while named is running and do a reload on it, is that enough to pick up the new certs or do I need to stop/start the named process? Basically, does reload only reload

Re: No more support for windows

Call me naive, but I’m trying to figure out what the corner case is to use BIND on Windows. For an internal network Windows Server already has a name server that integrates with AD and everything else needed to run a Windows network. Support for DDNS is a lot easier, it has tons of SRV