similar to: Issue with latest update of CentOS6

Hi, ??? Anyone else had any issues with CentOS 6.10 bind DNS server issues this afternoon. At 16:26 (GMT) had alerts for DNS failures against our CentOS 6.10 bind DNS servers from our monitoring system. Sure enough DNS requests via the server was failing, checking the named.log showed dnssec issues; 25-Mar-2020 16:26:10.285 dnssec: info: validating @0xb48b17c0: push.services.mozilla.com

Default install with local_unbound and ntpd can't be functional with incorrect date/time in BIOS: Unbound requred correct time for DNSSEC check and refuseing queries ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") ntpd don't have any numeric IP of ntp servers in ntp.conf -- only symbolic names like

Default install with local_unbound and ntpd can't be functional with incorrect date/time in BIOS: Unbound requred correct time for DNSSEC check and refuseing queries ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") ntpd don't have any numeric IP of ntp servers in ntp.conf -- only symbolic names like

Hi I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But when it is executed in cron not. Its starting normal as cronjob: Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh /opt/dnssec/resign_dnssec_zones.sh) But after i get a mail that everything is finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen The script

On 2/12/19 10:55 PM, Alice Wonder wrote: > DNSSEC keys do not expire. Signatures do expire. How long a signature > is good for depends upon the software generating the signature, some > lets you specify. ldns I believe defaults to 60 days but I am not sure. > > The keys are in DNSSKEY records that are signed by your Key Signing > Key and must be resigning before the signature

https://bugzilla.mindrot.org/show_bug.cgi?id=2119 Bug ID: 2119 Summary: SSHFP with DNSSEC ? no trust anchors given, validation always fails Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

I am reading: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html I have bind installed and default config running. I have not applied my customizations yet. The first step I am taking is getting rndc.key created. So reading the guide I am trying to run (while logged in as root, and in /etc): dnssec-keygen -a hmac-md5 -b 256 -n HOST rndc.key The system is just

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. The first part of the problem is fairly

Thank you for the hints I modified like you described. I also moved the permission part out of the loop (once at the end of the script is enough). Now with the "set -x" the script is working also in cron. Best regards Daniel -----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Tony Mountifield Sent: Wednesday, February 1, 2017 11:04 AM To:

I don't have a source, I'd have to dig through my browser history, but I looked at some of these stats just last month. Roughly 2% of the top 1000 domains in the United States had deployed DNSSEC - which I *think* is double what it was a year ago. Roughly 7% of ISP recursive DNS servers enforce DNSSEC. Comcast does and Google's public DNS does. Those are the big ones that enforce

On 12/24/2015 03:50 PM, Alice Wonder wrote: > > > On 12/24/2015 12:40 PM, Robert Moskowitz wrote: >> I am reading: >> >> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-bind-rndc.html >> >> >> I have bind installed and default config running. I have not applied my >> customizations yet. The first step I am taking is getting

Hello, it has been a while since I had setup a DNS-Server with CentOS 6; these days I added a few zones needed for DDNS; this works but in /etc/ I found quite a strange file, I'm not sure if it was in use at the beginning I used this system as a DNS-Server, and after several 'yum update' not any more; /etc/named.root.key with this content managed-keys { # DNSKEY for the root zone. #

I have two CentOS6 boxes, both running Bind as a local resolver, with what appears to me to be the same configuration as each other. I have a problem on one but not the other, to do with DNSSEC Lookaside Validation. On the box with the problem, if I do: host www.bbc.co.uk 127.0.0.1 (for example), it sits there for a while, then gives me a timeout error. I did some tests while running a tcpdump

Hello, My question is not related to NSD in particular, but I have seen here on the list a lot of people that work for TLDs and other Registrars and Registry operators I thought it would be a good place to ask this question. It is about DNS though, not completely off topic :). I have encountered in my DNS studies a few name servers that let you transfer zones they are authoritative for. The

At Wed, 25 Mar 2020 17:03:23 +0000 CentOS mailing list <centos at centos.org> wrote: > > Hi, > > ???????????? Anyone else had any issues with CentOS 6.10 bind DNS server issues Yes. The installed ISC DLV key installed with bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not appear to be a new bind-9.8.2 RPM with a new key. I guess you can

Dear OpenSSH Developers, I'm a member of the Debian System Administration (DSA) team. [1] We manage the Debian Projects computing infrastructure. Recently, DSA had the opportunity to address a member's request that we begin using certificates to authenticate Debian Project machines to ssh clients. We provided a lengthy reply, the summary of which is "we publish SSHFP records; use

On 04/13/2017 01:05 AM, Nicolas Kovacs wrote: > Le 13/04/2017 ? 04:27, Robert Moskowitz a ?crit : >> But make sure to have SELinux enabled if you do not run it chrooted. >> >> I have mine running that way. > > I bluntly admit not using SELinux, because until now, I mainly used more > bone-headed systems that didn't implement it. Maybe this is the right > time

Unable to determine IP address from host name "www.hdt-project.org" Getting this today? Not sure what issue is? I paid for the renewal back in 08/04/2016 and and in 2015, so the domain should be current? But the whois seems to show it is expired? Went to the gandi site, and it doesn't show a renewal option or anything? whois hdt-project.org [Querying

On Mon, Jul 10, 2017 at 8:02 AM, Rowland Penny via samba < samba at lists.samba.org> wrote: > On Mon, 10 Jul 2017 06:43:37 -0600 > Jeff Sadowski <jeff.sadowski at gmail.com> wrote: > > > Bind-9.11 is installed. How do you configure it? Does it need anything > > special in the config for samba to build the ...samba.../named.conf > > file that I should be able

That is one of the reasons I do not bother since long with public CAs but rather deploy my own, including own OSCP responder. Which has of course has some drawbacks like redundancy, resilience, bandwidth provision, geographical spread, implementing CA security standards and CA trust in clients. Latter though could be easily overcome if browser and email clients were to support DNSSEC/DANE