[dns-operations] Requesting insight about a RRSIG expiration/renewal issue
Tony Finch
dot at dotat.at
Tue Jul 4 09:21:58 UTC 2017
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> On Mon, Jul 03, 2017 at 03:21:31PM -0400, Phil Pennock wrote:
>
> > Meanwhile I too have issues elsewhere with Bind DNSSEC auto-signing
> > breaking a zone once or twice per year. So I've got "move those to
> > scripted manual signing" on my plate.
>
> For me, BIND's unattended re-signing works well enough, with
> monitoring catching the very rare glitches. It would be even better
> if the underlying issue were identified and resolved.
Are you using inline-signing?
I'm not aware that my servers have had problems with auto-dnssec maintain
without inline-signing. (I still use nsdiff | nsupdate to publish changes.)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Northwest Fitzroy, Sole: Variable 3 or 4 becoming northeasterly 4 or 5. Slight
or moderate. Showers. Good, occasionally poor.
More information about the dns-operations
mailing list