[dns-operations] Requesting insight about a RRSIG expiration/renewal issue

[Viktor Dukhovni]

On Sun, Jul 02, 2017 at 09:02:46PM -0400, Sadiq Saif wrote:

>        auto-dnssec maintain;
>        inline-signing yes;
> 
> RRSIG ivy.asininetech.com/A alg 8, id 26091: The Signature Expiration
> field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.
> RRSIG ivy.asininetech.com/AAAA alg 8, id 26091: The Signature Expiration
> field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.
> 
> I fixed the issue by restarting the BIND daemon. Is this just a case of
> BIND missing a key event in its automation or something else?

There appear to be some bugs in some versions of BIND that break
automatic re-signing.  I've observed this at least once with my
personal zone, shortly after introducing a new ZSK.  I think there
may have been an earlier occasion, possibly not related to key
rotation.  My zones are rather static, and the problem has only
been seen once or twice in 3+ years.  Perhaps there's some sort of
issue with automatic signing and zone data modification

My solution is *monitoring*.  I run a daily cron job that checks
the signature expiration time of every RRset my signed zones.  When
any RRset's remaining signature validity is <= 3 days I get an
email notification. If the condition persists I manually re-sign
the zone.

I don't know why BIND sometimes forgets to continue signing the
zone.

-- 
	Viktor.