Ondřej Surý said:
> Hi Richard,
> this is not the case.
> slack.com botched their DS/DNSKEY deployment (there’s a thread on
> dns-operations about it).
Thanks for the correction, my mistake. Apologies for the list spam!
Richard.
___
Please visit https
Hi Richard,
this is not the case.
slack.com botched their DS/DNSKEY deployment (there’s a thread on
dns-operations about it).
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
> On 1. 10. 2021, at 18:46, Richard T.A. Neal wrote:
>
> For those of you facing a curious issue with BIND failing to re
Thank you, Andrews.
De : Mark Andrews
Envoyé : mercredi 29 juillet 2020 02:15:24
À : Youssef Fassi Fihri
Cc : bind-users@lists.isc.org
Objet : Re: broken trust chain
A network link that is dropping packets can trigger EDNS failures in versions of
BIND before
A network link that is dropping packets can trigger EDNS failures in versions of
BIND before 9.13.3. These versions have code to compensate for servers that
fail to respond to EDNS queries or fail to respond to EDNS queries with DO=1
or fail to respond to queries with (particular) EDNS options set
What version of BIND are you using?
John
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
youssef.fassifi...@inwi.ma
Sent: Tuesday, July 28, 2020 6:10 PM
To: bind-users@lists.isc.org
Subject: broken trust chain
Hi All,
I am using Bind as resolver for end users .
A
Hi Cody,
please check contents of managed-keys.bind or viewname.mkeys files in
bind working directory. It can be redirected somewhere else by
managed-keys-directory option.
These files contains state of managed keys of BIND. Its contents can be
analysed by manually or by perl script in contrib/sc
Hi Cody,
Well, your "managed-keys" section looks almost right. It should *not*
have the dlv.isc.org key in there, because the DLV has retired. The root
zone keys look right.
If you set "dnssec-validation" to "auto" (the recommended setting), then
BIND *should* be able to validate. We don't know w
On 14/10/2018 14:17, Cody Allen wrote:
> issue just started on 10/13/2018 both servers impacted at same time, clocks
> are correct, version of bind is 9.11.1 impacting recursion on internal view,
> authoritative zones work fine, servers have been running for couple of years
> or longer with zer
/dev/rob0 wrote:
>
> > 3) Change from a forwarder to a slave and thereby become
> > authoritative and no longer have any need of DNSSEC validation on
> > this zone.
>
> Did you try with stub or static-stub?
Stub and static-stub just change how BIND finds a zone's nameservers; they
don't affect va
Dears,
Once I've tried to use stub zone to solve the same kind of problem with no
success.
John if it works for you tell us what you did.
Thanks
--
Miguel Mucio Santos Moreira
Gerente
GSR - Gerência de Serviços de Rede
(31)3339-1401
PRODEMGE - Companhia de Tecnologia da Informação do Est
On Fri, Sep 30, 2016 at 01:32:29PM -0400, jratl...@bluemarble.net wrote:
> On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote:
> >>
> >> This seems to indicate that the servers at 10.21.0.100 and 101
> >> are telling me that stc.corp domain is DNSSEC enabled. However,
> >> the new server fails
Dears,
I understood John has an invalid internal domain called stc.corp (Microsoft AD).
Some users will use a new Recursive DNS Server he said before and this new
Recursive DNS needs to querie records on the internet and on the stc.corp
Authoritative Server, then he created a forward zone in rec
On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote:
>>
>> This seems to indicate that the servers at 10.21.0.100 and 101 are
>> telling me that stc.corp domain is DNSSEC enabled. However, the new
>> server fails to find any DS or RRSIG records, so validating this
>> claim is not possible. Is
On Friday, September 30, 2016, /dev/rob0 wrote:
> On Fri, Sep 30, 2016 at 12:04:33PM -0400, John Ratliff wrote:
> > I am building a new recursive DNS server. I have it set to forward
> > records for a single zone to our HQ DNS servers. When I try to
> > resolve a record, I get errors like this:
>
Hi John,
I've had the same problem than you. Either I'm gonna sign each zone on my
authoritative server that I need to be forward internally on my Recursive
Server or I'm gonna create two layers of Recursive DNS, the first layer just
with forward zones like your example but with DNSSEC disable
On Fri, Sep 30, 2016 at 12:04:33PM -0400, John Ratliff wrote:
> I am building a new recursive DNS server. I have it set to forward
> records for a single zone to our HQ DNS servers. When I try to
> resolve a record, I get errors like this:
>
> Sep 30 11:25:39 bltn-dns-04 named[2012]: validating
Zitat von Mark Andrews :
Is this still with BIND 9.7.0-P1 or something more recent? If it
is still BIND 9.7.0-P1 then please upgrade. There really is no
point debugging validation failures in BIND 9.7.0-P1 anymore as the
validator has had really extensive changes since then.
Okay, compiled
Zitat von Mark Andrews :
Is this still with BIND 9.7.0-P1 or something more recent? If it
is still BIND 9.7.0-P1 then please upgrade. There really is no
point debugging validation failures in BIND 9.7.0-P1 anymore as the
validator has had really extensive changes since then.
Please remember,
Is this still with BIND 9.7.0-P1 or something more recent? If it
is still BIND 9.7.0-P1 then please upgrade. There really is no
point debugging validation failures in BIND 9.7.0-P1 anymore as the
validator has had really extensive changes since then.
Please remember, that unlike most of the res
Zitat von Mark Andrews :
In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>,
lst_ho...@kwsof
t.de writes:
We are using Bind 9.7 at the border to resolve DNS queries for a small
LAN. After moving forward in using IPv6 we discovered many "broken
trust chain" errors in the bind log
Zitat von Mark Andrews :
In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>,
lst_ho...@kwsof
t.de writes:
We are using Bind 9.7 at the border to resolve DNS queries for a small
LAN. After moving forward in using IPv6 we discovered many "broken
trust chain" errors in the bind log
In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>, lst_ho...@kwsof
t.de writes:
> We are using Bind 9.7 at the border to resolve DNS queries for a small
> LAN. After moving forward in using IPv6 we discovered many "broken
> trust chain" errors in the bind log for non existing
22 matches
Mail list logo