[dns-operations] Requesting insight about a RRSIG expiration/renewal issue

Phil Pennock dnsop+phil at spodhuis.org
Mon Jul 3 19:21:31 UTC 2017

On 2017-07-03 at 10:19 -0700, Richard Lamb wrote:
> Ive had similar experiences when having students do bind in-line signing in
> class. Its very hard to know what is going on inside sometimes and have
> just chalked that up to my own lack of understanding the intricacies.
> ..then suggesting that for relatively static, medium sized zones that
> simple scripts are easier to manage. -Rick

Mostly agreed, but I've also hit issues with the tooling available for
script-based signing.

Eg, exim.org recently had breakage because of bugs in ldnstools; I found
that "ldns-signzone" from ldnsutils 1.6.17-1 (Ubuntu 14.04.5) generates
bad zones, with "some" records being broken at any given time: each
re-sign rolls the dice as to which records would be broken.

I ended up installing current ldnstools from source and _also_
installing the Bind9 tools, so that I could change the scripting to
first use "ldns-signzone" and then use "dnssec-verify" to test the
results, before putting the signed zone live.  That's two different DNS
codebases, checking each other.

Meanwhile I too have issues elsewhere with Bind DNSSEC auto-signing
breaking a zone once or twice per year.  So I've got "move those to
scripted manual signing" on my plate.


More information about the dns-operations mailing list