[dns-operations] Requesting insight about a RRSIG expiration/renewal issue
Sadiq Saif
lists at sadiqs.com
Mon Jul 3 01:02:46 UTC 2017
Hi all,
I would like your insight on an odd RRSIG expiration/renewal issue.
Zone in question is asininetech.com. Master nameserver software is BIND
9.10.3-P4-Ubuntu.
Relevant zone config:
zone "asininetech.com" {
type master;
file "/etc/bind/master/asininetech.com.zone";
key-directory "/etc/bind/keys";
auto-dnssec maintain;
inline-signing yes;
allow-transfer {
xfer;
};
};
This morning I was made aware of two particular hostnames in that zone
(ivy.asininetech.com, karrin.asininetech.com) SERVFAILing, the error
provided by dnsviz.net:
RRSIG ivy.asininetech.com/A alg 8, id 26091: The Signature Expiration
field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.
RRSIG ivy.asininetech.com/AAAA alg 8, id 26091: The Signature Expiration
field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.
I fixed the issue by restarting the BIND daemon. Is this just a case of
BIND missing a key event in its automation or something else?
No other zone or host name under a zone were affected in this manner.
Let me know if I am missing something obvious or if more information is
needed to debug.
Thanks in advance,
--
Sadiq Saif
https://sadiqsaif.com
More information about the dns-operations
mailing list