similar to: DNSSEC / Security stats (forked from php thread)

On 12/24/2015 12:40 PM, Robert Moskowitz wrote: > I am reading: > > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html > > I have bind installed and default config running. I have not applied my > customizations yet. The first step I am taking is getting rndc.key > created. So reading the guide I am trying to run (while logged in as > root, and

On 12/24/2015 03:50 PM, Alice Wonder wrote: > > > On 12/24/2015 12:40 PM, Robert Moskowitz wrote: >> I am reading: >> >> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html >> >> >> I have bind installed and default config running. I have not applied my >> customizations yet. The first step I am taking is getting

In article <86827d81f1944333ae213f2d3f19856a at 2sic.com>, Daniel Reich <Daniel.Reich at 2sic.com> wrote: > Hi > > I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But > when it is executed in cron not. Its starting normal as cronjob: > Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh

Hi I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But when it is executed in cron not. Its starting normal as cronjob: Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh /opt/dnssec/resign_dnssec_zones.sh) But after i get a mail that everything is finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen The script

Thank you for the hints I modified like you described. I also moved the permission part out of the loop (once at the end of the script is enough). Now with the "set -x" the script is working also in cron. Best regards Daniel -----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Tony Mountifield Sent: Wednesday, February 1, 2017 11:04 AM To:

I am reading: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html I have bind installed and default config running. I have not applied my customizations yet. The first step I am taking is getting rndc.key created. So reading the guide I am trying to run (while logged in as root, and in /etc): dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key The system is just

On 2/12/19 7:26 PM, Paul R. Ganci wrote: > Last weekend I had my DNSSEC keys expire. I discovered that they had > expired the hard way... namely randomly websites could not be found and > email did not get delivered. It seems that the keys were only valid for > what I estimate was about 30 days. It is a real PITA to have update the > keys, restart named and then update Godaddy

On 2/12/19 11:49 PM, Paul R. Ganci wrote: > > On 2/12/19 10:55 PM, Alice Wonder wrote: >> DNSSEC keys do not expire. Signatures do expire. How long a signature >> is good for depends upon the software generating the signature, some >> lets you specify. ldns I believe defaults to 60 days but I am not sure. >> >> The keys are in DNSSKEY records that are signed

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. The first part of the problem is fairly

Hi community, we have tow DCs there works under domain babis.local We are using unbound on our firewall for the interfaces as default DNS-Server. Unbound is activated and has an overwrite from our AD-Domain babis.local to the DCs. When DNSSEC is disabled on unbound, DNS-Queries to dc works perfect. When DNSSEC is activated on unbound, DNS-Queries will be send to root DNS-Servers and i got

On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder <alice at domblogger.net> wrote: > Not with a smtp that enforces DANE. I'm aware of how DANE works. The only problem is no MTA outside of Postfix implements it. You can thank the hatred of DNSSEC for that. Brandon Vincent

On 04/27/2016 01:06 AM, Brandon Vincent wrote: > On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder <alice at domblogger.net> wrote: >> Not with a smtp that enforces DANE. > > I'm aware of how DANE works. > > The only problem is no MTA outside of Postfix implements it. > > You can thank the hatred of DNSSEC for that. > I never understood the hatred for DNSSEC.

On 04/27/2016 07:50 PM, Alice Wonder wrote: > On 04/27/2016 12:41 AM, Alice Wonder wrote: >> On 04/27/2016 12:30 AM, James Hogarth wrote: >> *snip* >>> >>> Unless you have a very specific requirement for a very bleeding edge >>> feature it's fundamentally a terrible idea to move away from the >>> distribution packages in something as exposed

On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen <rkampen at kampensonline.com> wrote: > Sounds good, but how many domain MX servers have set up these fingerprint > keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it > uses it if available. So even if you do post it on your DNS, how many > clients out there are using DANE on their set up? By the time it

On 2/12/19 10:55 PM, Alice Wonder wrote: > DNSSEC keys do not expire. Signatures do expire. How long a signature > is good for depends upon the software generating the signature, some > lets you specify. ldns I believe defaults to 60 days but I am not sure. > > The keys are in DNSSKEY records that are signed by your Key Signing > Key and must be resigning before the signature

On 11.08.2017 11:36, Michael Felt wrote: > This is what Ralph means when he says "have been running a CA for > 15+ years" - not that he is (though he could!) sell certificates > commercially - rather, he is using an initial certificate to sign > later certificates with. Actually, I do sell certificates to my customers. :-) In small numbers, and only for servers to which I

On Fri, August 18, 2017 5:02 pm, Michael Felt wrote: > On 8/11/2017 1:29 PM, Ralph Seichter wrote: >>> And, Ralph, I salute you. I have never been able to be disciplined >>> enough to be my own CA. >> I encourage you to look into the subject again. >> > I actually have been, which is why I could give a near sensible reply. > Thanks for the encouragement!

On 04/27/2016 12:41 AM, Alice Wonder wrote: > On 04/27/2016 12:30 AM, James Hogarth wrote: > *snip* >> >> Unless you have a very specific requirement for a very bleeding edge >> feature it's fundamentally a terrible idea to move away from the >> distribution packages in something as exposed as a webserver ... > > I use to believe that. > > However I no

On 8/11/2017 1:29 PM, Ralph Seichter wrote: > On 11.08.2017 11:36, Michael Felt wrote: > >> This is what Ralph means when he says "have been running a CA for >> 15+ years" - not that he is (though he could!) sell certificates >> commercially - rather, he is using an initial certificate to sign >> later certificates with. > Actually, I do sell certificates

Hi all, I've never really wanted to create my own MTA, because I like Postfix quite a lot. And I always thought it would require a horribly lot of time to be able to create something that was anywhere even close to having Postfix's features. (I would shudder to even think about recreating Dovecot from scratch nowadays.) But slowly over time I've also been thinking of ways how things