search for: dnssec

Hi, ??? Anyone else had any issues with CentOS 6.10 bind DNS server issues this afternoon. At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind DNS servers from our monitoring system. Sure enough DNS requests via the server was failing, checking the named.log showed dnssec issues; 25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com A: bad cache hit (push.services.mozilla.com.dlv.isc.org/DLV) 25-Mar-2020 16:26:10.337 dnssec: info: validating @0xb4858cb0: push.services.mozilla.com AAAA: bad cache hit (push.services.mozilla.com....

...Yes. The installed ISC DLV key installed with bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not appear to be a new bind-9.8.2 RPM with a new key. I guess you can *manually* fetch a new key (look in the installed /etc/named.iscdlv.key file) OR You can just disable dnssec, by commenting out these lines: dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; and restarting named. > this afternoon....

...23 notify: info: zone dyn.internet-xs.net/IN: sending notifies (serial 2018012040) 27-Dec-2019 23:20:21.226 notify: info: zone panama.int/IN: sending notifies (serial 2016121200) 27-Dec-2019 23:20:21.227 notify: info: zone ixsdns.de/IN: sending notifies (serial 2018010102) *27-Dec-2019 23:20:28.434 dnssec: info: validating ./NS: got insecure response; parent indicates it should be secure* 27-Dec-2019 23:20:28.444 general: warning: managed-keys-zone: No DNSKEY RRSIGs found for '.': success 27-Dec-2019 23:20:29.219 dnssec: info: validating ./NS: no valid signature found 27-Dec-2019 23:20:29.71...

Hi, I found a small issue with DNSSEC validation of SSHFP lookups. (For reference I used OpenSSH 6.8p1 on FreeBSD 10.1). The issues is that when DNSSEC valiation fails, ssh displays a confusing message to the user. When DNSSEC validation of a SSHFP record fails, ssh presents the user with "Matching host key fingerprint found in D...

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update God...

...2.1.3-12.fc26 rawhide dnsmap.x86_64 0.30-11.fc26 rawhide dnsmasq.x86_64 2.77-3.fc27 rawhide dnsmasq-utils.x86_64 2.77-3.fc27 rawhide dnsperf.x86_64 2.1.0.0-7.fc27 rawhide dnssec-check.x86_64 2.1-7.fc26 rawhide dnssec-nodes.x86_64 2.1-6.fc26 rawhide dnssec-system-tray.x86_64 2.1-6.fc26 rawhide dnssec-tools.x86_64 2.2-3.fc25 rawhide dnssec-tools-libs.x86_64 2.2-3.fc25 rawh...

...0.30-11.fc26 >> rawhide >> dnsmasq.x86_64 2.77-3.fc27 >> rawhide >> dnsmasq-utils.x86_64 2.77-3.fc27 >> rawhide >> dnsperf.x86_64 2.1.0.0-7.fc27 >> rawhide >> dnssec-check.x86_64 2.1-7.fc26 >> rawhide >> dnssec-nodes.x86_64 2.1-6.fc26 >> rawhide >> dnssec-system-tray.x86_64 2.1-6.fc26 >> rawhide >> dnssec-tools.x86_64 2.2-3.fc25 >> raw...

On 2/12/19 10:55 PM, Alice Wonder wrote: > DNSSEC keys do not expire. Signatures do expire. How long a signature > is good for depends upon the software generating the signature, some > lets you specify. ldns I believe defaults to 60 days but I am not sure. > > The keys are in DNSSKEY records that are signed by your Key Signing >...

On 2/12/19 7:26 PM, Paul R. Ganci wrote: > Last weekend I had my DNSSEC keys expire. I discovered that they had > expired the hard way... namely randomly websites could not be found and > email did not get delivered. It seems that the keys were only valid for > what I estimate was about 30 days. It is a real PITA to have update the > keys, restart named...

Hi community, we have tow DCs there works under domain babis.local We are using unbound on our firewall for the interfaces as default DNS-Server. Unbound is activated and has an overwrite from our AD-Domain babis.local to the DCs. When DNSSEC is disabled on unbound, DNS-Queries to dc works perfect. When DNSSEC is activated on unbound, DNS-Queries will be send to root DNS-Servers and i got NXDOMAIN. Does Samba supports DNSSEC? What needs to be configure? I don?t found an article in the wiki. kind regards Oliver

I don't have a source, I'd have to dig through my browser history, but I looked at some of these stats just last month. Roughly 2% of the top 1000 domains in the United States had deployed DNSSEC - which I *think* is double what it was a year ago. Roughly 7% of ISP recursive DNS servers enforce DNSSEC. Comcast does and Google's public DNS does. Those are the big ones that enforce DNSSEC on their recursive servers. I do not see any statistics for DANE adoption, either on port 443 or...

Well, folks, There's an article on slashdot, <http://tech.slashdot.org/article.pl?sid=10/04/30/1258234> Excerpt: ...the coming milestone of May 5, at 17:00 UTC ? at this time DNSSEC will be rolled out across all 13 root servers. Some Internet users, especially those inside corporations and behind smaller ISPs, may experience intermittent problems. The reason is that some older networking equipment is pre-configured to block any reply to a DNS request that exceeds 512 bytes in...

...gt; dnsmasq.x86_64 2.77-3.fc27 >>>> rawhide >>>> dnsmasq-utils.x86_64 2.77-3.fc27 >>>> rawhide >>>> dnsperf.x86_64 2.1.0.0-7.fc27 >>>> rawhide >>>> dnssec-check.x86_64 2.1-7.fc26 >>>> rawhide >>>> dnssec-nodes.x86_64 2.1-6.fc26 >>>> rawhide >>>> dnssec-system-tray.x86_64 2.1-6.fc26 >>>> rawhide >>>> dnssec-tools.x86_6...

...{ goodclients; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > tkey-domain "INTRA.DAM-APPLICATION.RO"; > > forwarders { > 213.154.124.1; > 193.231.252.1; > }; > > dnssec-enable yes; > dnssec-validation yes; I have this instead: dnssec-validation no; dnssec-enable no; dnssec-lookaside no; > > auth-nxdomain no; # conform to RFC1035 > listen-on-v6 { none; }; > }; > > /etc/bind/named.conf.defa...

...;> >> >> I have bind installed and default config running. I have not applied my >> customizations yet. The first step I am taking is getting rndc.key >> created. So reading the guide I am trying to run (while logged in as >> root, and in /etc): >> >> dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key >> >> The system is just sitting there and doing nothing. I have sshed as >> another session and do not see any processing being done by >> dnssec-keygen. >> >> Has anyone else done this? Am I doing things in the righ...

This release is an alpha release. We are currently not planning to have a 1.4.0 stable release as we want to prioritize implementing DNSSEC first. The next stable release will then be NSD 2.0.0 with DNSSEC support. This release has some major changes: the database format is much more compact, responses are generated on-the-fly instead of being precompiled in the database, and the new FLEX/YACC based compiler is now the only suppor...

https://bugzilla.mindrot.org/show_bug.cgi?id=1672 Summary: add local DNSSEC validation Product: Portable OpenSSH Version: 5.3p1 Platform: Other OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy:...

Hi everybody, in a university project I started building DNSSEC features into the current release of openSSH. The openSSH client I modified now authenticates a server through DNSSEC. I wanted to ask if there are already plans in the openSSH community to integrate DNSSEC features. I really enjoyed working with openSSH and would like to continue my work and con...

Attached is a patch that adds local DNSSEC validation to OpenSSH. See the readme for more detail. Please direct any questions or comments to users at dnssec-tools.org. Thanks.. -- Robert Story Senior Software Engineer SPARTA (dba Cobham Analytic Soloutions) -------------- next part -------------- A non-text attachment was scrubbed... Na...

Hi, I submitted a patch back in November of 2009 to add local validation of DNSSEC record to openssh. I recent updated the patch for 5.8, and figured I do a little marketing while I'm at it. :-) Someone had previously submitted a patch which simply trusted the AD bit in the response, which is susceptible to spoofing by anyone who can inject packets between the resolver and t...