<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Ive had similar experiences when having students do bind in-line signing in class. Its very hard to know what is going on inside sometimes and have just chalked that up to my own lack of understanding the intricacies. ..then suggesting that for relatively static, medium sized zones that simple scripts are easier to manage. -Rick </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 3, 2017 at 6:21 AM, Viktor Dukhovni <span dir="ltr"><<a href="mailto:ietf-dane@dukhovni.org" target="_blank">ietf-dane@dukhovni.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, Jul 02, 2017 at 09:02:46PM -0400, Sadiq Saif wrote:<br>
<br>
> auto-dnssec maintain;<br>
> inline-signing yes;<br>
<span class="">><br>
> RRSIG <a href="http://ivy.asininetech.com/A" rel="noreferrer" target="_blank">ivy.asininetech.com/A</a> alg 8, id 26091: The Signature Expiration<br>
> field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.<br>
> RRSIG <a href="http://ivy.asininetech.com/AAAA" rel="noreferrer" target="_blank">ivy.asininetech.com/AAAA</a> alg 8, id 26091: The Signature Expiration<br>
> field of the RRSIG RR (2017-06-30 23:25:12+00:00) is 1 day in the past.<br>
><br>
> I fixed the issue by restarting the BIND daemon. Is this just a case of<br>
> BIND missing a key event in its automation or something else?<br>
<br>
</span>There appear to be some bugs in some versions of BIND that break<br>
automatic re-signing. I've observed this at least once with my<br>
personal zone, shortly after introducing a new ZSK. I think there<br>
may have been an earlier occasion, possibly not related to key<br>
rotation. My zones are rather static, and the problem has only<br>
been seen once or twice in 3+ years. Perhaps there's some sort of<br>
issue with automatic signing and zone data modification<br>
<br>
My solution is *monitoring*. I run a daily cron job that checks<br>
the signature expiration time of every RRset my signed zones. When<br>
any RRset's remaining signature validity is <= 3 days I get an<br>
email notification. If the condition persists I manually re-sign<br>
the zone.<br>
<br>
I don't know why BIND sometimes forgets to continue signing the<br>
zone.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Viktor.<br>
</font></span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.<wbr>net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/<wbr>mailman/listinfo/dns-<wbr>operations<br>
dns-operations</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/<wbr>mailman/listinfo/dns-<wbr>operations</a><br>
</div></div></blockquote></div><br></div>