[dns-operations] Requesting insight about a RRSIG expiration/renewal issue

Richard Lamb richard.lamb at icann.org
Mon Jul 3 17:19:13 UTC 2017


Ive had similar experiences when having students do bind in-line signing in
class. Its very hard to know what is going on inside sometimes and have
just chalked that up to my own lack of understanding the intricacies.
..then suggesting that for relatively static, medium sized zones that
simple scripts are easier to manage. -Rick

On Mon, Jul 3, 2017 at 6:21 AM, Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Sun, Jul 02, 2017 at 09:02:46PM -0400, Sadiq Saif wrote:
>
> >        auto-dnssec maintain;
> >        inline-signing yes;
> >
> > RRSIG ivy.asininetech.com/A alg 8, id 26091: The Signature Expiration
> > field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.
> > RRSIG ivy.asininetech.com/AAAA alg 8, id 26091: The Signature Expiration
> > field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.
> >
> > I fixed the issue by restarting the BIND daemon. Is this just a case of
> > BIND missing a key event in its automation or something else?
>
> There appear to be some bugs in some versions of BIND that break
> automatic re-signing.  I've observed this at least once with my
> personal zone, shortly after introducing a new ZSK.  I think there
> may have been an earlier occasion, possibly not related to key
> rotation.  My zones are rather static, and the problem has only
> been seen once or twice in 3+ years.  Perhaps there's some sort of
> issue with automatic signing and zone data modification
>
> My solution is *monitoring*.  I run a daily cron job that checks
> the signature expiration time of every RRset my signed zones.  When
> any RRset's remaining signature validity is <= 3 days I get an
> email notification. If the condition persists I manually re-sign
> the zone.
>
> I don't know why BIND sometimes forgets to continue signing the
> zone.
>
> --
>         Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170703/efffa877/attachment.html>


More information about the dns-operations mailing list