[dns-operations] Requesting insight about a RRSIG expiration/renewal issue

Tony Finch dot at dotat.at
Tue Jul 4 09:21:58 UTC 2017

Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> On Mon, Jul 03, 2017 at 03:21:31PM -0400, Phil Pennock wrote:
> > Meanwhile I too have issues elsewhere with Bind DNSSEC auto-signing
> > breaking a zone once or twice per year.  So I've got "move those to
> > scripted manual signing" on my plate.
> For me, BIND's unattended re-signing works well enough, with
> monitoring catching the very rare glitches.  It would be even better
> if the underlying issue were identified and resolved.

Are you using inline-signing?

I'm not aware that my servers have had problems with auto-dnssec maintain
without inline-signing. (I still use nsdiff | nsupdate to publish changes.)

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Northwest Fitzroy, Sole: Variable 3 or 4 becoming northeasterly 4 or 5. Slight
or moderate. Showers. Good, occasionally poor.

More information about the dns-operations mailing list