search for: signzon

...> <snip> > It's not the keys that are the issue, but the RRSIG record that > contains a start and expiration time for the records. > > If you upload signed zone files to godaddy, make sure to resign once a > week or so so that the RRSIG gets updated. > > man ldns-signzone Okay so I misunderstood the message I was getting when I checked my DNSSEC setup via http://dnsviz.net/. What you are telling me is that all I had to do was re-sign the zone files but that it was not necessary to generate new keys. This point is definitely one that I missed. I too run my own...

...t's not the keys that are the issue, but the RRSIG record that >> contains a start and expiration time for the records. >> >> If you upload signed zone files to godaddy, make sure to resign once a >> week or so so that the RRSIG gets updated. >> >> man ldns-signzone > > Okay so I misunderstood the message I was getting when I checked my > DNSSEC setup via http://dnsviz.net/. What you are telling me is that all > I had to do was re-sign the zone files but that it was not necessary to > generate new keys. This point is definitely one that I m...

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. The first part of the problem is fairly

...ng files will be updated as part of updating to 7.0-RELEASE-p3: /boot/kernel/kernel /boot/kernel/kernel.symbols /usr/bin/dig /usr/bin/host /usr/bin/nslookup /usr/bin/nsupdate /usr/include/netinet/tcp.h /usr/lib/libssh.a /usr/lib/libssh.so.4 /usr/lib/libssh_p.a /usr/sbin/dnssec-signzone /usr/sbin/lwresd /usr/sbin/named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/named-compilezone /usr/sbin/sshd /usr/src/sys/conf/newvers.sh /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/tcp_output.c While there is a new file for /usr/sbin/named, it isn't r...

...files ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*') for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}") #remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed #Sign the zone cd $ZONEDIR dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG #Set the correct permissions chown named.named $ZONEDIR/*.signed chmod 755 $ZONEDIR/*.signed sleep 5 done rm -rf $ZONEDIR/named.zone echo $(date +"%T&q...

...*}") Why not just: ZONE=${FILES%.*} > #remove the old signed zone > rm -rf $ZONEDIR/$ZONE.signed You deleted them all further up. > #Sign the zone > cd $ZONEDIR Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere. > dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 > -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG > > #Set the correct permissions > chown named.named $ZONEDIR/*.signed > chmod 755 $ZONEDIR/*.signed > sleep 5 > done > rm -rf $ZO...

...ourse, the delegation point should be at bar.foo.com. too and a.bar.foo.com. is an occluded name and this situation is purely hypothetical). I used the attached zone file along with the following commands to generate a zone file to The input I used to generate: ldns-keygen -a 13 -k foo.com dnssec-signzone -3 AA61D5A398769C09 -H 0 -S -A -z -o foo.com. foo.com.zone Kfoo.com.+013+58636 Doesn't get me the exact the same thing, but good enough to get the same segfault. - Jeroen On Wed, 2024-10-09 at 13:53 +0200, Jeroen Koekkoek via nsd-users wrote: > Hi Chris, > > I can reproduce with...

...*}") Why not just: ZONE=${FILES%.*} > #remove the old signed zone > rm -rf $ZONEDIR/$ZONE.signed You deleted them all further up. > #Sign the zone > cd $ZONEDIR Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere. > dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONEDIR/$ZONE.zone > $ZSKDIR/K$ZONE.*.key >> $LOG > > #Set the correct permissions > chown named.named $ZONEDIR/*.signed > chmod 755 $ZONEDIR/*.signed > sleep 5 > done > rm -rf $ZON...

...eygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone It's not the keys that are the issue, but the RRSIG record that contains a start and expiration time for the records. If you upload signed zone files to godaddy, make sure to resign once a week or so so that the RRSIG gets updated. man ldns-signzone It has switches for setting the start and expiration date of signatures. By default I believe it uses current timestamp for start and +60 days for end, though it may be +30 days.

Hi Chris, I can reproduce with your zone. Thanks! Best, Jeroen On Tue, 2024-10-08 at 14:07 +0000, Chris LaVallee wrote: > > Hi Jeroen, > > > Attached is the zone I used. Did you add the record for a.bar ? > > > Ex: > > > a.bar ? 300 ? ? IN ?NS ? ? ?ns.somewhere.net. > > > Chris > > > > > > > > > > >

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:20.bind Security Advisory The FreeBSD Project Topic: Denial of Service in named(8) Category: contrib Module: bind Announced: 2006-09-06