Hello,
I have a very peculiar behavior: a zone, signed by OpenDNSSEC and pushed
to Bind 9.7.2-P3 by scp was working fine. But now, completely out of the
blue, Bind decides to claim some authority over the zone: the SOA RRSIG
(only that one) is scrapped, and this is logged:
06-Feb-2011 15:10:
On Feb 6 2011, Gilles Massen wrote:
I have a very peculiar behavior: a zone, signed by OpenDNSSEC and pushed
to Bind 9.7.2-P3 by scp was working fine. But now, completely out of the
blue, Bind decides to claim some authority over the zone: the SOA RRSIG
(only that one) is scrapped, and this is
Chris,
thanks for the hint, but:
On 6/2/11 19:20 , Chris Thompson wrote:
On Feb 6 2011, Gilles Massen wrote:
I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
pushed to Bind 9.7.2-P3 by scp was working fine. But now, completely
out of the blue, Bind decides to claim some auth
Mark Andrews writes:
>
> In message <4d4ef872.6070...@restena.lu>, Gilles Massen writes:
> > Chris,
> >
> > thanks for the hint, but:
> >
> >
> > On 6/2/11 19:20 , Chris Thompson wrote:
> > > On Feb 6 2011, Gilles Massen wrote:
> > >
> > >> I have a very peculiar behavior: a zone, signed by Op
In message <4d4ef872.6070...@restena.lu>, Gilles Massen writes:
> Chris,
>
> thanks for the hint, but:
>
>
> On 6/2/11 19:20 , Chris Thompson wrote:
> > On Feb 6 2011, Gilles Massen wrote:
> >
> >> I have a very peculiar behavior: a zone, signed by OpenDNSSEC and
> >> pushed to Bind 9.7.2-P3 by
Mark,
On 02/06/2011 10:41 PM, Mark Andrews wrote:
> Mark Andrews writes:
>>
>>>
Does your configuration also have an "allow-update" setting
(other than "none") for it, maybe only for the instance that
is giving you trouble? In that case BIND will take it that you
want it to do
Hi Gilles,
You've identified a corner-case bug - the logic is incorrect in the case
where the ACL holds "none" instead of being empty.
There's no compile-time option - but we are treating what you've
reported to us as a bug (RT #23120). It is currently under
investigation/discussion.
Many thank
> Thanks, this works indeed.
>
> This raises a few questions, as I'd really like to understand bind's
> behavior:
>
> - is there any description of exactly how/when Bind assumes signing
> authority over a zone? Or simply where some kind of zone-manipulating
> intelligence kicks in?
>
> - is it p
Evan,
Thanks for outlining this - it's much clearer now.
BIND will try to maintain the signatures in a zone if the zone is
configured to be dynamic--i.e, if it has an update-policy or allow-update
option. It won't create signatures where there were none, but it will try
to keep existing RRSIGs
> >BIND will try to maintain the signatures in a zone if the zone is
> >configured to be dynamic--i.e, if it has an update-policy or allow-update
> >option. It won't create signatures where there were none, but it will try
> >to keep existing RRSIGs up to date for you.
>
> Not that I would need i
10 matches
Mail list logo
