Posts by geb@mamot.fr
(DIR) Post #AcGUihpJaDwl7ONnVI by geb@mamot.fr
2023-11-28T12:09:19Z
0 likes, 0 repeats
@lanodan @bortzmeyer Thank you both. I'll try to report it to see how long it takes to being solved 🙂
(DIR) Post #AcGUiieMWQmPfiGZ4S by geb@mamot.fr
2023-11-28T12:10:45Z
0 likes, 0 repeats
@lanodan @bortzmeyer (C'est pas pratique le 3 *1* 1, je comprends l'interet, mais j'ai pas trouvé de joli oneliner pour pouvoir extraire la fp avec openssl :/)
(DIR) Post #AcVjXljN8lo2j0FFce by geb@mamot.fr
2023-12-05T20:48:49Z
0 likes, 0 repeats
@bortzmeyer @lanodan Finalement, je me suis fait violence:`$ echo Q | openssl s_client -connect www.debian.org:443 2> /dev/null | \ openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | sha256sum`
(DIR) Post #Aca41onXyBb3EystyC by geb@mamot.fr
2023-12-07T22:25:31Z
1 likes, 0 repeats
@bortzmeyer @lanodan > Et je viens de prévenir hostmaster@, on verra combien de temps ça prend :)Corrigé en une douzaine d'heures. Merci à hostmaster@ si il lit.
(DIR) Post #AcuDh5M5DMeihbJ3Am by geb@mamot.fr
2023-12-17T16:07:07Z
0 likes, 0 repeats
Hi #DNS folks. I am encountering an issue with LetsEncrypt. It seems that their resolver now returns SERVFAIL when receiving NXDOMAIN for CAA records, preventing to issue (renew?) certificates, in some conditions. There are many posts of people stuck with the problem. Some pointing a powerDNS bug (which my provider is likely to use).However, the last line of their debug tool makes me suspucious. Ex- https://unboundtest.com/m/TXT/tp10.goessens.fr/4FVOKLRX- https://unboundtest.com/m/CAA/tp10.goessens.fr/2YWKID6V@bortzmeyer opinion ?
(DIR) Post #AcuEB8ahkSJVQRTX72 by geb@mamot.fr
2023-12-17T16:23:44Z
0 likes, 0 repeats
@bortzmeyer Right, sorry, still, I don't understand why unbound and so letsencrypt send a SERVFAIL in this case (https://github.com/NLnetLabs/unbound/issues/946 ?). I hope it won't block certs renewal...
(DIR) Post #AcuEs1Db2GlD0m77ku by geb@mamot.fr
2023-12-17T16:32:58Z
0 likes, 0 repeats
@bortzmeyer funny maybe, but the bug seems to be on the production LetsEncrypt resolvers 😨
(DIR) Post #AcuIOM59IeS4qfH1Um by geb@mamot.fr
2023-12-17T17:12:28Z
0 likes, 0 repeats
@bortzmeyerRight. My test domain `tp10.goessens.fr` is running on dynv6.com which seems to also not return SOA for NODATA.According to my reading of https://www.rfc-editor.org/rfc/rfc2308#section-2.2 this SOA seems to be mandatory or at least excepted (thanks I did not know about!)Letsencrypt advertise for a powerdns bug in https://community.letsencrypt.org/t/caa-servfail-changes/38298/3 and https://letsencrypt.org/docs/caa/ but it seems more related to DNSSEC.Lets hope it won't block renews. According the amount of posts on LE forum I am not the only one...
(DIR) Post #AcwUUHhe57PmlpnGYy by geb@mamot.fr
2023-12-18T18:37:20Z
0 likes, 0 repeats
@bortzmeyer @pmevzek Thanks for the test. I don't find a lot of recent examples (except maybe https://community.letsencrypt.org/t/potential-networking-client-changes-on-dns-challenges/207967/31) and thanks to your help I now understand that returning SERVFAIL for NODATA without SOA is valid. I am just curious to see how much people will have the issue. The change is quite recent in unbound and according to your own test, not a lot of resolvers behave the same, so it could be quite surprising. Let's see ... thanks anyway.
(DIR) Post #AdUOAkQDt3TsnniuEi by geb@mamot.fr
2024-01-04T03:06:50Z
0 likes, 0 repeats
@bortzmeyer @pmevzek Apparently the strict unbound SERVFAIL on NODATA without SOA has been corrected. https://github.com/NLnetLabs/unbound/commit/b865aca03a5c653356334c789b54e70c0bd0e08d#diff-960d97da4fff47137f1f6e59ece820988c80424e865244d620c2224fb1b1f605L285 & https://github.com/NLnetLabs/unbound/issues/946
(DIR) Post #As0SkRGfr1VA8cuvAG by geb@mamot.fr
2025-03-13T07:40:15Z
0 likes, 0 repeats
Hello. For a #DNS course I am looking for examples of working #IDN domain names, ideally that have a website on it to show to students. I have difficulties to find some. Any idea ? cc @bortzmeyer @shaft
(DIR) Post #As0SkYAYCBlLXf6d5k by geb@mamot.fr
2025-03-13T07:44:00Z
0 likes, 0 repeats
@bortzmeyer @shaft The only ones I have now, is https://réussir-en.fr , TLD, https://www.iana.org/domains/root/db. Most of the others, like the example on the Wikipedia page, http://ουτοπία.δπθ.gr are not that good for a demo...
(DIR) Post #AvFSUyel0ibomMBHBA by geb@mamot.fr
2025-06-17T20:58:37Z
0 likes, 0 repeats
@DNSresolver etudiant.gouv.fr
(DIR) Post #AvFSV7VA7lHWDClEyO by geb@mamot.fr
2025-06-17T20:58:58Z
0 likes, 0 repeats
@DNSresolver enseignementsup-recherche.gouv.fr
(DIR) Post #AvFSVF227wjbZBC5gG by geb@mamot.fr
2025-06-17T21:04:24Z
0 likes, 0 repeats
@DNSresolver ate.info
(DIR) Post #AvFScX6bKOxVeEo7YO by geb@mamot.fr
2025-06-17T21:05:39Z
0 likes, 0 repeats
cc @bortzmeyer
(DIR) Post #AvFScY21sstcWLfz4C by geb@mamot.fr
2025-06-17T21:07:29Z
0 likes, 0 repeats
@bortzmeyer (et dig a un bug rigolo, il dit couldn't get address for '$NS': not found, quand il ne le trouve pas (cas des deux premiers domaines) mais aussi quand il ne parvient pas à le joindre (cas du dernier domaine ou de domaines avec lesquels je fais jouer des étudiants)
(DIR) Post #AvFScYysM5y3SrCyn2 by geb@mamot.fr
2025-06-17T21:09:55Z
0 likes, 0 repeats
@DNSresolver recherche.gouv.fr
(DIR) Post #AvFScaYMVdwoLCopk0 by geb@mamot.fr
2025-06-17T21:27:29Z
0 likes, 0 repeats
cc @guerby @mherrb aussi
(DIR) Post #AxXEL5e6x5mLixgMy0 by geb@mamot.fr
2025-08-25T17:22:46Z
1 likes, 0 repeats
@bortzmeyer https://x.com/grok/status/1959771323682685288 cc @pb