Retried my named.conf with BIND 9.19.7-dev (Development Release)
which reports:
26-Oct-2022 21:31:42.021 /private/tmp/b/named.conf:11: 'inline-signing
yes;' must also be configured explicitly for zones using dnssec-policy without
a configured 'allow-update' or 'update-policy'. See
The change is that with 9.16, if the requested name is a CNAME, only the
CNAME value is returned by dig, while with 9.11 dig would return both the CNAME
value and the IP of the CNAME.
as others have said, this needs more details, but I wonder whether you might
now be querying a server which has
the 'inline-signing yes;' is needed IN ADDITION to 'dnssec-policy' in order to
_not_ overwrite original zone files/data on signing.
I cannot confirm that (9.17.22):
% ls -1
example.aa
named.conf
% cat named.conf
options {
directory ".";
listen-on port 5301 { 127.0.0.2; };
The inline-signing feature will not go away.
Thanks, Matthijs, I stand corrected. I believe I had seen that in ISC
documentation and/or issues, but I will now stop saying that. :)
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
A Beginner's Guide to DNSSEC with BIND 9.
Well done! A few comments, if I may:
1. in your zone stanzas you use the term "master" (type: master, ... masters
{}). BIND has been updated already a while ago to support the term primary, e.g. `type
primary;' and `primaries {};' (likewise for
Maybe in the future dnssec-signzone won't generate the deprecated entry to
begin with.
BIND 9.16.0 stopped generating SHA1 digests [1] :
"DS and CDS records are now generated with SHA-256 digests only, instead of
both SHA-1 and SHA-256. This affects the default output of
Using nsupdate when I try to delete an MX record for a domain, I get REFSUED.
REFUSED is also reported when attempting to update a non-dynamic zone. Are you
sure the zone you're trying to update is actually dynamic?
How do I remove and replace the MX record for a domain with nsupdate?
del
20220317-a4qe._domainkeyTXT (
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAA
^ begin comment
OCAQ8AMIIBCgKCAQEAmEsWuQCj+OenaSQ3dM6WItExor
The bit from the first semicolon to the end of the line was missing.
Is that expected behavior?
A semicolon begins a
26-May-2022 10:06:14.458 debug 3: zone penguinpee.nl/IN/external:
zone_rekey failure: unexpected error (retry in 600 seconds)
One of the first things BIND does, if I'm reading lib/dns/zone.c correctly, is
to attempt to lock the keys, and if it fails it emits that diagnostic.
Assuming the
(putting this back on list)
thank you for the feedback,now I have already start the slave server
[root@bind-master-centos7 ~]# dig kaixinduole.com +nssearch
SOA ns1.kaixinduole.com. shawn.kaixinduole.com. 2022041566 3600 900 604800
86400 from server 52.130.145.30 in 0 ms.
SOA
2. [image: image.png]
In this screenshot you've shown the result of `cat named.conf', but where's the
zone definition for kaixinduole.com? What we are seeing here is a recursive
server.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC
I just modified the serial number
this is not currently a problem, but please note that you've changed the first
four digits which are likely to 2023.
Also if the zone is reloaded there's no need to restart named.
Actually nothing changed ,
Indeed. Are you doing these changes on the
All queries are from the same client whose ip is 192.168.100.126, but why the
port which each query from is so different?
The source port is random and it should be different.
I disabled the recursion of bind 9 ,but all the Recursion Desired flag was set
'+', this confused me. >
If you add
the domain name is kaixinduole.com
Querying the SOA record for kaixinduole.com shows the SOA serial number
is less than what you showed in the screenshot:
;; ANSWER SECTION:
kaixinduole.com.21600 IN SOA ns1.kaixinduole.com.
shawn.kaixinduole.com. (
(I've tried to reformat some of this; it was illegible to me and I'm probably
misreading some of it)
www IN CNAME www.baidu.com.
[root@centos7 ~]# dig www.kaixinduole.com# it should be cname to
You've not specified an address for dig to use so it's using
dnssec-policy default;
Slightly off-topic, but I believe ISC reccomend using a custom policy instead
of `default' in case the default changes in future.
view "internal" {
zone "penguinpee.nl" {
typeprimary;
file"dynamic/penguinpee.nl.internal.zone";
};
};
view
Does the $GENERATE directive in BIND zone files do what you need?
The $GENERATE statement is executed when loading the zone file results in an
expanded in-memory version of the zone being used. That can get quite large.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
DLZ are loadable modules
I should have pointed to the documentation [1] and some example modules [2].
-JP
[1] https://github.com/isc-projects/bind9/tree/main/contrib/dlz/example
[2] https://github.com/isc-projects/bind9/tree/main/contrib/dlz/modules
--
Visit
Does anyone know whether it's possible to generate with Bind these
kind of A records automatically on the authoritative side
BIND has DLZ, Dynamically Loadable Zones, which is an extension which allows
zone data to be retrieved from basically anywhere. DLZ are loadable modules
written in the C
I am ridiculed by an ISC member for using a reserved domain according to
For the record, assuming you mean me, I am not affiliated with the gold folk at
ISC.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
Suppose I was working on a problem for Barclays Bank
In that case I would think Barclays Bank's Platinum Enterprise BIND Support
contract would cover answering such questions.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the
The values in the file dsset-example.com generated by signing the zone are not
good.
If they are 'not good' then it's possible you are using an outdated dsset
file. (And you are hiding domain names; I doubt example.com has been delegated
to you.)
dnssec-signzone creates dsset- files when
Is there a guide on transitioning the DNSSEC signing algorithm,
One of the best concise instructions on doing this was written by Tony Finch
while at Cambridge, and I have used this [1] successfully a few times.
My recommendation: print it out, and use a red pen to tick off the individual
Fun is a sufficient reason.
Definitely.
IATA airport codes to LOC:
% dig +short CDG.air.jpmens.net LOC
49 0 46.073 N 2 33 0.000 E 119.00m 1m 1m 10m
and more fun with an associated TXT:
% dig +short CDG.air.jpmens.net TXT
"cc:FR; m:Paris; t:large, n:Charles de Gaulle International
Ansible's template module is what you'd probably use for #1, the service
module (with handlers) for #2, and #3 comes out of the box when you use
Ansible.
While you might find existing roles and playbooks on the internets, I
would strongly recommend to vet them carefully in a test environment
25 matches
Mail list logo
