ISC DNSSEC Guide - Working with the Parent Zone

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

ISC DNSSEC Guide - Working with the Parent Zone

Daniel Stirnimann
Hi all,

I'm testing the key rollover behavior of BIND 9.16 with the new
introduced "dnssec-policy" statement.

The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:

"At the time of this writing (mid-2020) BIND does not check for the
presence of a DS record in the parent zone before completing the KSK or
CSK rollover and withdrawing the old key. Instead, you need to use the
rndc tool to tell named that the DS record has been published."

The last sentence that one has to tell named that the DS record has been
published is not what I'm observing. My tests show that BIND continues
(finishes) the key rollover. The use of the rndc tool is not required.
Is this an error in the documentation?

dnsviz output of the test domain:

badware.ch signed with key 39414 but no trust anchor in .ch yet:
https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/

badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
automatically picked up by CDS/CDNSKEY polling by the parent):
https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/

badware.ch key rollover from key 39414 to key 6207 in progress:
https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/

badware.ch previous key rollover finished. key 39414 is unused and will
be removed from the DNSKEY rrset soon. No "rndc" command has been used
to tell named to complete the key rollover.
Next key rollover started with the introduction of key 15769:
https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/


DNSSEC Policy:

dnssec-policy "test" {
    keys {
        csk key-directory lifetime 7d algorithm 13;
    };

    // Key timings
    dnskey-ttl 3600;
    publish-safety 1h;
    retire-safety 1h;

    // Zone parameters
    max-zone-ttl 3600;
    zone-propagation-delay 300;

    // Parent parameters
    parent-ds-ttl 1h;
    parent-propagation-delay 1h;
};

Thank you,
Daniel

[1]
https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: ISC DNSSEC Guide - Working with the Parent Zone

Matthijs Mekking
Hi Daniel,

With which specific 9.16 version are you testing? The first versions
used an unsafe time based rollover, assuming the DS would be published
withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
-checkds" was introduced to tell BIND 9 that the DS for a given key has
been published.

Best regards,

Matthijs

On 23-12-2020 09:53, Daniel Stirnimann wrote:

> Hi all,
>
> I'm testing the key rollover behavior of BIND 9.16 with the new
> introduced "dnssec-policy" statement.
>
> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
>
> "At the time of this writing (mid-2020) BIND does not check for the
> presence of a DS record in the parent zone before completing the KSK or
> CSK rollover and withdrawing the old key. Instead, you need to use the
> rndc tool to tell named that the DS record has been published."
>
> The last sentence that one has to tell named that the DS record has been
> published is not what I'm observing. My tests show that BIND continues
> (finishes) the key rollover. The use of the rndc tool is not required.
> Is this an error in the documentation?
>
> dnsviz output of the test domain:
>
> badware.ch signed with key 39414 but no trust anchor in .ch yet:
> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
>
> badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
> automatically picked up by CDS/CDNSKEY polling by the parent):
> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
>
> badware.ch key rollover from key 39414 to key 6207 in progress:
> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
>
> badware.ch previous key rollover finished. key 39414 is unused and will
> be removed from the DNSKEY rrset soon. No "rndc" command has been used
> to tell named to complete the key rollover.
> Next key rollover started with the introduction of key 15769:
> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
>
>
> DNSSEC Policy:
>
> dnssec-policy "test" {
>      keys {
>          csk key-directory lifetime 7d algorithm 13;
>      };
>
>      // Key timings
>      dnskey-ttl 3600;
>      publish-safety 1h;
>      retire-safety 1h;
>
>      // Zone parameters
>      max-zone-ttl 3600;
>      zone-propagation-delay 300;
>
>      // Parent parameters
>      parent-ds-ttl 1h;
>      parent-propagation-delay 1h;
> };
>
> Thank you,
> Daniel
>
> [1]
> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: ISC DNSSEC Guide - Working with the Parent Zone

Daniel Stirnimann
Hello Matthijs,

I'm testing with version 9.16.9.

Ok, I'm more confused now.

For the current key rollover the DNSKEY RRset is not signed with both
the old key 6207 and the new key 15769 but only with the new key 15769.
The domain is now bogus:

https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/


rndc dnssec -status badware.ch
dnssec-policy: test
current time:  Wed Dec 23 10:42:00 2020

key: 39414 (ECDSAP256SHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         unretentive
  - ds:             unretentive
  - zone rrsig:     unretentive
  - key rrsig:      hidden

key: 6207 (ECDSAP256SHA256), CSK
  published:      yes - since Wed Dec 16 07:33:24 2020
  key signing:    no
  zone signing:   no

  Key is retired, will be removed on Fri Jan  1 11:43:24 2021
  - goal:           hidden
  - dnskey:         omnipresent
  - ds:             unretentive
  - zone rrsig:     unretentive
  - key rrsig:      hidden

key: 15769 (ECDSAP256SHA256), CSK
  published:      yes - since Wed Dec 23 07:33:24 2020
  key signing:    yes - since Wed Dec 23 07:33:24 2020
  zone signing:   yes - since Wed Dec 23 09:38:24 2020

  Next rollover scheduled on Wed Dec 30 07:33:24 2020
  - goal:           omnipresent
  - dnskey:         omnipresent
  - ds:             rumoured
  - zone rrsig:     rumoured
  - key rrsig:      omnipresent


Daniel

On 23.12.20 10:33, Matthijs Mekking wrote:

> Hi Daniel,
>
> With which specific 9.16 version are you testing? The first versions
> used an unsafe time based rollover, assuming the DS would be published
> withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
> -checkds" was introduced to tell BIND 9 that the DS for a given key has
> been published.
>
> Best regards,
>
> Matthijs
>
> On 23-12-2020 09:53, Daniel Stirnimann wrote:
>> Hi all,
>>
>> I'm testing the key rollover behavior of BIND 9.16 with the new
>> introduced "dnssec-policy" statement.
>>
>> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
>>
>> "At the time of this writing (mid-2020) BIND does not check for the
>> presence of a DS record in the parent zone before completing the KSK or
>> CSK rollover and withdrawing the old key. Instead, you need to use the
>> rndc tool to tell named that the DS record has been published."
>>
>> The last sentence that one has to tell named that the DS record has been
>> published is not what I'm observing. My tests show that BIND continues
>> (finishes) the key rollover. The use of the rndc tool is not required.
>> Is this an error in the documentation?
>>
>> dnsviz output of the test domain:
>>
>> badware.ch signed with key 39414 but no trust anchor in .ch yet:
>> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
>>
>> badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
>> automatically picked up by CDS/CDNSKEY polling by the parent):
>> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
>>
>> badware.ch key rollover from key 39414 to key 6207 in progress:
>> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
>>
>> badware.ch previous key rollover finished. key 39414 is unused and will
>> be removed from the DNSKEY rrset soon. No "rndc" command has been used
>> to tell named to complete the key rollover.
>> Next key rollover started with the introduction of key 15769:
>> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
>>
>>
>> DNSSEC Policy:
>>
>> dnssec-policy "test" {
>>      keys {
>>          csk key-directory lifetime 7d algorithm 13;
>>      };
>>
>>      // Key timings
>>      dnskey-ttl 3600;
>>      publish-safety 1h;
>>      retire-safety 1h;
>>
>>      // Zone parameters
>>      max-zone-ttl 3600;
>>      zone-propagation-delay 300;
>>
>>      // Parent parameters
>>      parent-ds-ttl 1h;
>>      parent-propagation-delay 1h;
>> };
>>
>> Thank you,
>> Daniel
>>
>> [1]
>> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>

--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
[hidden email], www.switch.ch
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: ISC DNSSEC Guide - Working with the Parent Zone

Matthijs Mekking
Hi Daniel,

This zone was signed before, prior to switching to 'dnssec-policy'? Or
did you enable DNSSEC by adding 'dnssec-policy'?

If you have them, would you be able to share with me (off list) the logs
and the key (state) files?

- Matthijs


On 23-12-2020 10:47, Daniel Stirnimann wrote:

> Hello Matthijs,
>
> I'm testing with version 9.16.9.
>
> Ok, I'm more confused now.
>
> For the current key rollover the DNSKEY RRset is not signed with both
> the old key 6207 and the new key 15769 but only with the new key 15769.
> The domain is now bogus:
>
> https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/
>
>
> rndc dnssec -status badware.ch
> dnssec-policy: test
> current time:  Wed Dec 23 10:42:00 2020
>
> key: 39414 (ECDSAP256SHA256), CSK
>    published:      no
>    key signing:    no
>    zone signing:   no
>
>    Key has been removed from the zone
>    - goal:           hidden
>    - dnskey:         unretentive
>    - ds:             unretentive
>    - zone rrsig:     unretentive
>    - key rrsig:      hidden
>
> key: 6207 (ECDSAP256SHA256), CSK
>    published:      yes - since Wed Dec 16 07:33:24 2020
>    key signing:    no
>    zone signing:   no
>
>    Key is retired, will be removed on Fri Jan  1 11:43:24 2021
>    - goal:           hidden
>    - dnskey:         omnipresent
>    - ds:             unretentive
>    - zone rrsig:     unretentive
>    - key rrsig:      hidden
>
> key: 15769 (ECDSAP256SHA256), CSK
>    published:      yes - since Wed Dec 23 07:33:24 2020
>    key signing:    yes - since Wed Dec 23 07:33:24 2020
>    zone signing:   yes - since Wed Dec 23 09:38:24 2020
>
>    Next rollover scheduled on Wed Dec 30 07:33:24 2020
>    - goal:           omnipresent
>    - dnskey:         omnipresent
>    - ds:             rumoured
>    - zone rrsig:     rumoured
>    - key rrsig:      omnipresent
>
>
> Daniel
>
> On 23.12.20 10:33, Matthijs Mekking wrote:
>> Hi Daniel,
>>
>> With which specific 9.16 version are you testing? The first versions
>> used an unsafe time based rollover, assuming the DS would be published
>> withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
>> -checkds" was introduced to tell BIND 9 that the DS for a given key has
>> been published.
>>
>> Best regards,
>>
>> Matthijs
>>
>> On 23-12-2020 09:53, Daniel Stirnimann wrote:
>>> Hi all,
>>>
>>> I'm testing the key rollover behavior of BIND 9.16 with the new
>>> introduced "dnssec-policy" statement.
>>>
>>> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
>>>
>>> "At the time of this writing (mid-2020) BIND does not check for the
>>> presence of a DS record in the parent zone before completing the KSK or
>>> CSK rollover and withdrawing the old key. Instead, you need to use the
>>> rndc tool to tell named that the DS record has been published."
>>>
>>> The last sentence that one has to tell named that the DS record has been
>>> published is not what I'm observing. My tests show that BIND continues
>>> (finishes) the key rollover. The use of the rndc tool is not required.
>>> Is this an error in the documentation?
>>>
>>> dnsviz output of the test domain:
>>>
>>> badware.ch signed with key 39414 but no trust anchor in .ch yet:
>>> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
>>>
>>> badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
>>> automatically picked up by CDS/CDNSKEY polling by the parent):
>>> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
>>>
>>> badware.ch key rollover from key 39414 to key 6207 in progress:
>>> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
>>>
>>> badware.ch previous key rollover finished. key 39414 is unused and will
>>> be removed from the DNSKEY rrset soon. No "rndc" command has been used
>>> to tell named to complete the key rollover.
>>> Next key rollover started with the introduction of key 15769:
>>> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
>>>
>>>
>>> DNSSEC Policy:
>>>
>>> dnssec-policy "test" {
>>>       keys {
>>>           csk key-directory lifetime 7d algorithm 13;
>>>       };
>>>
>>>       // Key timings
>>>       dnskey-ttl 3600;
>>>       publish-safety 1h;
>>>       retire-safety 1h;
>>>
>>>       // Zone parameters
>>>       max-zone-ttl 3600;
>>>       zone-propagation-delay 300;
>>>
>>>       // Parent parameters
>>>       parent-ds-ttl 1h;
>>>       parent-propagation-delay 1h;
>>> };
>>>
>>> Thank you,
>>> Daniel
>>>
>>> [1]
>>> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> [hidden email]
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: ISC DNSSEC Guide - Working with the Parent Zone

Daniel Stirnimann
Hi Matthijs,

The zone was not signed before. I enabled DNSSEC by adding the
'dnssec-policy'. I will send you the requested files off list.

Thank you,
Daniel

On 23.12.20 11:39, Matthijs Mekking wrote:

> Hi Daniel,
>
> This zone was signed before, prior to switching to 'dnssec-policy'? Or
> did you enable DNSSEC by adding 'dnssec-policy'?
>
> If you have them, would you be able to share with me (off list) the logs
> and the key (state) files?
>
> - Matthijs
>
>
> On 23-12-2020 10:47, Daniel Stirnimann wrote:
>> Hello Matthijs,
>>
>> I'm testing with version 9.16.9.
>>
>> Ok, I'm more confused now.
>>
>> For the current key rollover the DNSKEY RRset is not signed with both
>> the old key 6207 and the new key 15769 but only with the new key 15769.
>> The domain is now bogus:
>>
>> https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/
>>
>>
>> rndc dnssec -status badware.ch
>> dnssec-policy: test
>> current time:  Wed Dec 23 10:42:00 2020
>>
>> key: 39414 (ECDSAP256SHA256), CSK
>>    published:      no
>>    key signing:    no
>>    zone signing:   no
>>
>>    Key has been removed from the zone
>>    - goal:           hidden
>>    - dnskey:         unretentive
>>    - ds:             unretentive
>>    - zone rrsig:     unretentive
>>    - key rrsig:      hidden
>>
>> key: 6207 (ECDSAP256SHA256), CSK
>>    published:      yes - since Wed Dec 16 07:33:24 2020
>>    key signing:    no
>>    zone signing:   no
>>
>>    Key is retired, will be removed on Fri Jan  1 11:43:24 2021
>>    - goal:           hidden
>>    - dnskey:         omnipresent
>>    - ds:             unretentive
>>    - zone rrsig:     unretentive
>>    - key rrsig:      hidden
>>
>> key: 15769 (ECDSAP256SHA256), CSK
>>    published:      yes - since Wed Dec 23 07:33:24 2020
>>    key signing:    yes - since Wed Dec 23 07:33:24 2020
>>    zone signing:   yes - since Wed Dec 23 09:38:24 2020
>>
>>    Next rollover scheduled on Wed Dec 30 07:33:24 2020
>>    - goal:           omnipresent
>>    - dnskey:         omnipresent
>>    - ds:             rumoured
>>    - zone rrsig:     rumoured
>>    - key rrsig:      omnipresent
>>
>>
>> Daniel
>>
>> On 23.12.20 10:33, Matthijs Mekking wrote:
>>> Hi Daniel,
>>>
>>> With which specific 9.16 version are you testing? The first versions
>>> used an unsafe time based rollover, assuming the DS would be published
>>> withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
>>> -checkds" was introduced to tell BIND 9 that the DS for a given key has
>>> been published.
>>>
>>> Best regards,
>>>
>>> Matthijs
>>>
>>> On 23-12-2020 09:53, Daniel Stirnimann wrote:
>>>> Hi all,
>>>>
>>>> I'm testing the key rollover behavior of BIND 9.16 with the new
>>>> introduced "dnssec-policy" statement.
>>>>
>>>> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
>>>>
>>>> "At the time of this writing (mid-2020) BIND does not check for the
>>>> presence of a DS record in the parent zone before completing the KSK or
>>>> CSK rollover and withdrawing the old key. Instead, you need to use the
>>>> rndc tool to tell named that the DS record has been published."
>>>>
>>>> The last sentence that one has to tell named that the DS record has been
>>>> published is not what I'm observing. My tests show that BIND continues
>>>> (finishes) the key rollover. The use of the rndc tool is not required.
>>>> Is this an error in the documentation?
>>>>
>>>> dnsviz output of the test domain:
>>>>
>>>> badware.ch signed with key 39414 but no trust anchor in .ch yet:
>>>> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
>>>>
>>>> badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
>>>> automatically picked up by CDS/CDNSKEY polling by the parent):
>>>> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
>>>>
>>>> badware.ch key rollover from key 39414 to key 6207 in progress:
>>>> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
>>>>
>>>> badware.ch previous key rollover finished. key 39414 is unused and will
>>>> be removed from the DNSKEY rrset soon. No "rndc" command has been used
>>>> to tell named to complete the key rollover.
>>>> Next key rollover started with the introduction of key 15769:
>>>> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
>>>>
>>>>
>>>> DNSSEC Policy:
>>>>
>>>> dnssec-policy "test" {
>>>>       keys {
>>>>           csk key-directory lifetime 7d algorithm 13;
>>>>       };
>>>>
>>>>       // Key timings
>>>>       dnskey-ttl 3600;
>>>>       publish-safety 1h;
>>>>       retire-safety 1h;
>>>>
>>>>       // Zone parameters
>>>>       max-zone-ttl 3600;
>>>>       zone-propagation-delay 300;
>>>>
>>>>       // Parent parameters
>>>>       parent-ds-ttl 1h;
>>>>       parent-propagation-delay 1h;
>>>> };
>>>>
>>>> Thank you,
>>>> Daniel
>>>>
>>>> [1]
>>>> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>>
>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>
>>>>
>>>> bind-users mailing list
>>>> [hidden email]
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> [hidden email]
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>

--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
[hidden email], www.switch.ch
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users