> My lesson is - besides just working out the configuration - testing
> RFC5011 takes more patience than just about any other feature of
> DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have.
Yup. I learned that as well.
As a side note: can you imagine my surprise when, after wai
> By default it dumps its output to a file; you can use `rndc secroots -`
> to get output on stdout.
Using "-" to get it to dump the secroots output to stdout is a new
feature added for 9.11. That hasn't been published yet, but if you build
from the source tree at source.isc.org (like Tony does),
On 4/21/15, 10:15, "Warren Kumari" wrote:
>
>From the ARM:
Sigh, RTFM...(My, BIND's gotten a lot more complicated/feature-rich since
I last read the docs.)
Hey, it's there.
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https
On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis wrote:
> On 4/21/15, 9:45, "Tony Finch" wrote:
>>rndc secroots
>>
>>You can also look in the .mkeys file.
>
> I tried secroots with my set up, I got nothing despite the mkeys file.
> (Kind of asking - does that work?):
>
> (I had my rndc port bumped o
Edward Lewis wrote:
>
> I tried secroots with my set up, I got nothing despite the mkeys file.
> (Kind of asking - does that work?):
By default it dumps its output to a file; you can use `rndc secroots -`
to get output on stdout.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Hebrides, Bailey:
On 4/21/15, 9:45, "Tony Finch" wrote:
>rndc secroots
>
>You can also look in the .mkeys file.
I tried secroots with my set up, I got nothing despite the mkeys file.
(Kind of asking - does that work?):
(I had my rndc port bumped out of sudo-land, so it's overridden:)
$ rndc -p 1953 -c rndc.conf
Edward Lewis wrote:
>
> I have a suggestion - is there a way to query a BIND server for it's trust
> anchor key set?
rndc secroots
(though this only provides the key tags not the public key data)
> I say perhaps unnecessary because the information may be available on
> disk (which an administra
Evan/et.al.,
I've updated to 9.10.2, adjusted the timers, etc., and have managed to
follow the keyroll.systems test over night (a handful of key changes) plus
still get the desired "AD" bit.
With the timing in mind, I looked at my unbound (I realize this is BIND
users ;)) which wasn't keeping up
On Mon, Apr 20, 2015 at 4:33 PM, Evan Hunt wrote:
> On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
>> That page says (for BIND):
>> "Note: When using this config file you will probably need to delete
>> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mke
On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote:
> That page says (for BIND):
> "Note: When using this config file you will probably need to delete
> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys*
> every time you restart BIND after missing a keyrol
On Mon, Apr 20, 2015 at 3:41 PM, Edward Lewis wrote:
> Thanks. rm'd the file and added the timers. (I did that also after
> sending, so it is the deleting the old file that did the trick.) The
> start-up lines look good.
>
> Got an AD bit again too.
>
> (I may have a few more issues as I move t
Thanks. rm'd the file and added the timers. (I did that also after
sending, so it is the deleting the old file that did the trick.) The
start-up lines look good.
Got an AD bit again too.
(I may have a few more issues as I move this off a laptop on to a regular
machine. Right now it helps know
On Mon, Apr 20, 2015 at 06:42:42PM +, Edward Lewis wrote:
> Being that I'm working on a laptop (hence on on over the weekend) I've had
> to recreate the environment today. I'm a bit more puzzled now.
There's a separate file that named creates to keep the current
managed keys state information
Thanks to Evan for the last look and thanks to Jan-Piet for the suggestion
to go to 9.10.2.
Being that I'm working on a laptop (hence on on over the weekend) I've had
to recreate the environment today. I'm a bit more puzzled now.
I've built and installed BIND 9.10.2. Using http://keyroll.system
Edward,
the subject of this message piqued my interest ;-)
> 17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf
Very ouch. Much pain. Lots frustration. Many hairpulls. Mucho crash. ;)
Upgrade to 9.10.2 [1] in which Evan fixes the CVE we discovered on
RFC5011 rolls and, thankfully,
Thanks. Now have 'ad' bits via both BIND and unbound.
Will let you know when I've shot myself in the foot.
On 4/17/15, 12:45, "Evan Hunt" wrote:
...
>instead of waiting a full 30 days. (This is, I hope obviously, *not*
>something you want to run in production. :) )
smime.p7s
Description: S
On Fri, Apr 17, 2015 at 02:46:16PM +, Edward Lewis wrote:
> I am building named and unbound recursive servers to follow a test of RFC
> 5011 trust anchor updates, the experiment is documented at
> http://keyroll.systems. One reason why I'm asking here is in
> http://jpmens.net/2015/01/21/opend
I am building named and unbound recursive servers to follow a test of RFC
5011 trust anchor updates, the experiment is documented at
http://keyroll.systems. One reason why I'm asking here is in
http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
which mentions some issues with RFC 5
18 matches
Mail list logo
