[dns-operations] Requesting insight about a RRSIG expiration/renewal issue
Phil Pennock
dnsop+phil at spodhuis.org
Mon Jul 3 19:21:31 UTC 2017
On 2017-07-03 at 10:19 -0700, Richard Lamb wrote:
> Ive had similar experiences when having students do bind in-line signing in
> class. Its very hard to know what is going on inside sometimes and have
> just chalked that up to my own lack of understanding the intricacies.
> ..then suggesting that for relatively static, medium sized zones that
> simple scripts are easier to manage. -Rick
Mostly agreed, but I've also hit issues with the tooling available for
script-based signing.
Eg, exim.org recently had breakage because of bugs in ldnstools; I found
that "ldns-signzone" from ldnsutils 1.6.17-1 (Ubuntu 14.04.5) generates
bad zones, with "some" records being broken at any given time: each
re-sign rolls the dice as to which records would be broken.
I ended up installing current ldnstools from source and _also_
installing the Bind9 tools, so that I could change the scripting to
first use "ldns-signzone" and then use "dnssec-verify" to test the
results, before putting the signed zone live. That's two different DNS
codebases, checking each other.
Meanwhile I too have issues elsewhere with Bind DNSSEC auto-signing
breaking a zone once or twice per year. So I've got "move those to
scripted manual signing" on my plate.
-Phil
More information about the dns-operations
mailing list