search for: ksk

...finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen The script deletes the old signed zones, but don't resign it. The mail is also sent. Below the script. Anybody an idea why it doesn't work in cron?^ I cannot find any error in any log. Best regards Daniel #!/bin/bash KSKDIR="/etc/named/KSK" ZSKDIR="/etc/named/ZSK" ZONEDIR="/var/named/chroot/var/named" LOG="/var/named/chroot/var/log/dnssec_resign.log" MAILREC="monitor at xx" #delete old signed files rm -rf $ZONEDIR/*.signed #delete the old log rm -rf $LOG #read th...

.... Even without DANE, DNSSEC greatly improves security for the 7% (and growing) recursive resolvers that enforce DNSSEC. Before deploying DNSSEC do a lot of reading on it, because if you screw it up, those 7% enforcing recursive resolvers won't resolve your zone. I personally use a 2048-bit KSK and a 1024-bit ZSK. The KSK is what you have to get the DS record for uploaded to your TLS, and it should be rotated once a year. The ZSK is just in your zone, best practice says to rotate once a month but I rotate once a week, every Sunday. It should be automated, so it doesn't hurt to do...

I am reading: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html I have bind installed and default config running. I have not applied my customizations yet. The first step I am taking is getting rndc.key created. So reading the guide I am trying to run (while logged in as root, and in /etc): dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key The system is just

On 2/12/19 10:55 PM, Alice Wonder wrote: > DNSSEC keys do not expire. Signatures do expire. How long a signature > is good for depends upon the software generating the signature, some > lets you specify. ldns I believe defaults to 60 days but I am not sure. > > The keys are in DNSSKEY records that are signed by your Key Signing > Key and must be resigning before the signature

...ying: set -x Then set cron to run it and examine the output that gets mailed to you. The -x tells it to echo each command it is about to execute. That will help you to see how far it is getting. Further comments below. Cheers Tony > Best regards > Daniel > > > #!/bin/bash > KSKDIR="/etc/named/KSK" > ZSKDIR="/etc/named/ZSK" > ZONEDIR="/var/named/chroot/var/named" > LOG="/var/named/chroot/var/log/dnssec_resign.log" > MAILREC="monitor at xx" > > #delete old signed files > rm -rf $ZONEDIR/*.signed > &...

...ask here thinking somebody else may have already run into this issue. 2.) Assuming the answer to DNSSEC is no, can I at least have the keys last longer than they do by default. I am presently creating the keys via: > dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE zone > dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone It is very unclear to me given the dnssec-keygen man page how to set the date so that I could get 90 days or even more per key. The descriptions I found about constructing rolling keys was even more cryptic to me. For example, how do you use these switches:...

...done this? Am I doing things in the right order? If it > works for others, then there is something wrong with my setup... It's working fine for me. I'm using the command ldns-keygen to generate keys though - e.g. ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` and KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` ldns-keygen is from the ldns package. Mine is currently all scripted and automated, has been for months - I started with an Ubuntu tutorial though, not CentOS documentation, and adapted it. I'll have to look at the scripts I w...

...ying: set -x Then set cron to run it and examine the output that gets mailed to you. The -x tells it to echo each command it is about to execute. That will help you to see how far it is getting. Further comments below. Cheers Tony > Best regards > Daniel > > > #!/bin/bash > KSKDIR="/etc/named/KSK" > ZSKDIR="/etc/named/ZSK" > ZONEDIR="/var/named/chroot/var/named" > LOG="/var/named/chroot/var/log/dnssec_resign.log" > MAILREC="monitor at xx" > > #delete old signed files > rm -rf $ZONEDIR/*.signed > &...

Hello, after I did update all my CentOS6 boxes - VMs and router; two of them (one VM and the router) are my local DNS resolvers; and I'm using the DNSSECTLSAvalidator plugin from nic.cz: https://www.dnssec-validator.cz/ before the update this plugin worked using my resolvers, after the update I get: "Failure - bogus DNSSEC reply, DNSSEC validation not possible with current

...my own authoritative nameserver. > > 2.) Assuming the answer to DNSSEC is no, can I at least have the keys > last longer than they do by default. I am presently creating the keys via: > > > dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE zone > > > dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone It's not the keys that are the issue, but the RRSIG record that contains a start and expiration time for the records. If you upload signed zone files to godaddy, make sure to resign once a week or so so that the RRSIG gets updated. man ldns-signzone It...

...e they didn''t exist. I have found a two other scripts that some tries to run, I have no reference to them. These are: pursuit (3 accesses) query (3 accesses) Now comes my guestion are those security holes too or just something that somebody likes to run. Love H-=C5strand lha@ksk.sala.se

...? If it >> works for others, then there is something wrong with my setup... > > It's working fine for me. > > I'm using the command ldns-keygen to generate keys though - e.g. > > ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` > > and > > KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` > > ldns-keygen is from the ldns package. > > Mine is currently all scripted and automated, has been for months - I > started with an Ubuntu tutorial though, not CentOS documentation, and > adapted it. > > I...

...it to the registrar? I suspect > there is no way around that as I believe it is essential to maintaining > the chain of trust. But if I can keep everything on my own nameservers > that would be a big help ... maybe ldns-signzone is the answer? > As long as you don't change your KSK that information will not change.

On 02/13/2017 11:36 AM, peter.winterflood wrote: > On 13/02/17 16:49, James Hogarth wrote: >> On 13 February 2017 at 16:17, peter.winterflood >> <peter.winterflood at ossi.co.uk> wrote: >>> >>> >>> there's a really good solution to this. >>> >>> yum remove NetworkManager* >>> >>> chkconfig network on

...-plugin.so b/tests/old-plugins/x86_64/Linux/v1.18.2/nbdkit-file-plugin.so new file mode 100755 index 0000000000000000000000000000000000000000..b0d93bc4c262cfbd1cf5de4cb9421422730c82c4 GIT binary patch literal 28064 zcmeHQ3w%`NmA{h*L;^EWv4Uc~(4aveCOj0xNQOL^!SIkIh%Gn_nF*OPnHgs8@bFQ> zCZXPjC~n<q*KSK|+hu+HiY}!{6{Eati(9nV^=-rlcMJ$dMJnp-|9p>|%Z0Sv?f!Ou zyTAGPP0l^%JLi1oJKy=v{pOqdUDj6BRA)IHiY(d6bqZl6g`83@DwZ^g3xINEijt4N zmnb6`Z%$v;8CL}boFt(laB3r$s#N-eqO!jxTz3J-CA7-1_R0mn4Zby)(<QXZ4M5fA zMZA7<_;k2MbfSnEg*stp7A{GyOUQKzISCbFpdw%%#}raWpUr}9hb4kfLc82cLe35g zg`9-c29?@(wZMO+y?H`ze-+nbheK(gP$ZP?-2...

This creates libnbdkit.so as discussed in the following thread: https://www.redhat.com/archives/libguestfs/2020-March/thread.html#00203 test-delay-shutdown.sh fails for unclear reasons. This series starts by reverting "tests: Don't strand hung nbdkit processes" which is because several other tests fail randomly unless I revert this patch. I didn't investigate this yet so it