search for: nsec3

Hi Chris, I've properly started looking into this yesterday. NSD definitely shouldn't crash, still working on that. However, the provided zone is invalid too(?) I'm not the foremost expert on NSEC3 (or even DNSSEC), but is seems an NSEC3 is missing for bar.foo.com. Empty non-terminals should still have an NSEC3 RR. (Of course, the delegation point should be at bar.foo.com. too and a.bar.foo.com. is an occluded name and this situation is purely hypothetical). I used the attached zone file al...

...mple.com.zone does not exist. After touching and > reloading the signed zone, no segfault occurs. I've tried with and > without the "--disable-radix-tree" configure option (as the error > occurs in the rbtree). I've also tried with example.com. being an > NSEC > and NSEC3 zone. > > Can you provide some more details? > > Best regards, > Jeroen > > > > > On Wed, 2024-10-02 at 14:57 +0000, Chris LaVallee via nsd-users > wrote: > > > > Hi, > > > > > > I found a reproducible?seg fault with a DNSSEC s...

I am reading: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html I have bind installed and default config running. I have not applied my customizations yet. The first step I am taking is getting rndc.key created. So reading the guide I am trying to run (while logged in as root, and in /etc): dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key The system is just

...-keygen. > > Has anyone else done this? Am I doing things in the right order? If it > works for others, then there is something wrong with my setup... It's working fine for me. I'm using the command ldns-keygen to generate keys though - e.g. ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` and KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` ldns-keygen is from the ldns package. Mine is currently all scripted and automated, has been for months - I started with an Ubuntu tutorial though, not CentOS documentation, and adapted it. I'll...

...lse done this? Am I doing things in the right order? If it >> works for others, then there is something wrong with my setup... > > It's working fine for me. > > I'm using the command ldns-keygen to generate keys though - e.g. > > ZSK=`/usr/bin/ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 ${zone}` > > and > > KSK=`/usr/bin/ldns-keygen -k -a RSASHA1-NSEC3-SHA1 -b 2048 ${zone}` > > ldns-keygen is from the ldns package. > > Mine is currently all scripted and automated, has been for months - I > started with an Ubuntu tutorial though, not CentOS...

...nst running a DNSSEC master zone on anything less than 9.6 and you really should be on 9.7. The thread DOES mention that some functionality has been backported by RH to what their 9.3.6. I did find the following: http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/ Is this the best path at this time? Can anyone point me to other documents? I have a server that I can test this out and get everything ready before I upgrade my main Centos DNS server. This way I can get it right in one try (or that is the dream).

...om.zone The file bar.example.com.zone does not exist. After touching and reloading the signed zone, no segfault occurs. I've tried with and without the "--disable-radix-tree" configure option (as the error occurs in the rbtree). I've also tried with example.com. being an NSEC and NSEC3 zone. Can you provide some more details? Best regards, Jeroen On Wed, 2024-10-02 at 14:57 +0000, Chris LaVallee via nsd-users wrote: > > Hi, > > > I found a reproducible?seg fault with a DNSSEC signed zone and > overlapping config. I'm running NSD 4.10.1. Here's h...

...the integration of simdzone (https://github.com/NLnetLabs/simdzone), performance of loading zones and IXFRs is drastically improved. Quick measurements show improvements ranging anywhere from 3.8x to 1.6x, depending on zone size and database type, though the improvements will be less noticable for NSEC3 zones due to pre-hashing. simdzone leverages SIMD instructions in modern CPUs to improve throughput. Right now SSE4.2 and AVX2 instruction sets are supported, other instruction sets will use the fallback implementation, which still is a decent improvement over the Flex+Bison based parser. The rel...

...2.95). - Bugfix #483: Better error message in case of TSIG error. - Bugfix #485: TTL should not be greater than 2^31 - 1. - Fix RCODE when CNAME loop final answer does not exist, should return NXDOMAIN as stated by RFC 6604. - Fix --disable-full-prehash bug, where after multiple incoming IXFRs, NSEC3 can be removed unjustified. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20130204/398d2770/attach...

...om.zone The file bar.example.com.zone does not exist. After touching and reloading the signed zone, no segfault occurs. I've tried with and without the "--disable-radix-tree" configure option (as the error occurs in the rbtree). I've also tried with example.com. being an NSEC and NSEC3 zone. Can you provide some more details? Best regards, Jeroen On Wed, 2024-10-02 at 14:57 +0000, Chris LaVallee via nsd-users wrote: > > Hi, > > > I found a reproducible seg fault with a DNSSEC signed zone and > overlapping config. I'm running NSD 4.10.1. Here's how...

We upgraded to NSD 3.2.9 (from 3.2.8) because we encountered the problem "Fix denial of existence response for empty non-terminal that looks like a NSEC3-only domain (but has data below it)." (a nasty problem with DNSSEC). But we now have IXFR issues. On one name server, NSD 3.2.9 works fine, zones are IXFRed and work. On another name server, with much more zones (and big ones), we deleted the databases and compiled everything again with zone...

Hello World, I am trying to build NSD4 on Debian Squeeze and I get the following errors when running `make`. ``` $ pwd /home/wiz/src/nsd/tags/NSD_4_0_0_imp_5 $ make [... output omitted ...] gcc -g -O2 -o nsd-checkconf answer.o axfr.o buffer.o configlexer.o configparse acket.o query.o rbtree.o radtree.o rdata.o region-allocator.o tsig.o tsig-opens 4_pton.o b64_ntop.o -lcrypto configparser.o: In

Hi all, we have discovered a segfault in nsd-patch when renaming slave zone in nsd config file if some data for this zone still exists in the IXFR diff database. In my case, the zone "black" was renamed to "blackinwhite": > root at ggd115:/cage/nsd/var/nsd/zones#nsd-patch -c > /cage/nsd/etc/nsd-dns-slave.conf > reading database > reading updates to database >

Hello, My question is not related to NSD in particular, but I have seen here on the list a lot of people that work for TLDs and other Registrars and Registry operators I thought it would be a good place to ask this question. It is about DNS though, not completely off topic :). I have encountered in my DNS studies a few name servers that let you transfer zones they are authoritative for. The

hello all reader hello centos network I use to bind core fecora 12 http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-dnssec-nsec3-support/ I am having problems with my dk and dkim signature of my emails I have successfully made the process of verification of signatures dnssec all my domains are correct and good displays on dlv.isc.org the reason for my problem just the reason that I have updated my postfix and I have recreat...

Hi, I found a reproducible seg fault with a DNSSEC signed zone and overlapping config. I'm running NSD 4.10.1. Here's how to reproduce. 2 zones in nsd.conf: zone: name: "foo.com." zonefile: "/zones/foo.com.zone.signed" zone: name: "bar.foo.com." zonefile: "/zones/bar.foo.com.zone" Zone files:

...ing @0x7eff240301a0: static.external.zlb.scl3.mozilla.com A: no valid signature found May 23 10:49:07 S4 named[2162]: validating @0x7eff4a2ace30: mozilla.com SOA: no valid signature found May 23 10:49:07 S4 named[2162]: validating @0x7eff4a2ace30: 46415bfg4kn5renvhh8v6j30akqkq572.mozilla.com NSEC3: no valid signature found May 23 10:49:12 S4 named[2162]: samba_dlz: starting transaction on zone ariane.intra May 23 10:49:12 S4 named[2162]: samba_dlz: allowing update of signer=dhcpduser\@A...

...; static.external.zlb.scl3.mozilla.com A: no valid signature found > May 23 10:49:07 S4 named[2162]: validating @0x7eff4a2ace30: > mozilla.com SOA: no valid signature found > May 23 10:49:07 S4 named[2162]: validating @0x7eff4a2ace30: > 46415bfg4kn5renvhh8v6j30akqkq572.mozilla.com NSEC3: no valid signature > found > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > &g...

...ming with CentOs. This version can not do dns updates!!!! Install needs for samba. yum install libacl* libbb* gnutls* readline* python* gdb* autoconf* . Named installation: Here is a description on what to do: http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-d nssec-nsec3-support/ . The steps, yum -y install make gcc rpm-build libtool openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto . For named to compile correctly you need this 2 packages too: yum -y install curl* . You need python-dn...

...First of all do not install the bind package coming with centos 5.5!! Install needs for samba yum install libacl* gnutls* readline* python* gdb* autoconf* Named installation: Here is a description on what to do: http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-d nssec-nsec3-support/ The steps, yum -y install make gcc rpm-build libtool autoconf openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto For named to compile correctly you need this 2 packages too: yum -y install curl* download.fedor...