DNSSEC inline/auto - burst of resigning/updates ?

Brandon Applegate brandon at burn.net
Fri Sep 6 23:24:09 UTC 2019 

Hello,

I just very recently set up all my zones for inline signing + auto maintain.  Prior to this I had cron jobs resigning and it was working okay.  But after I read up on inline/auto I thought it to be much more elegant.

Anyway, basically the behavior I expect and observe is that bind periodically resigns my zones based on the sig-validity-interval values.  Also, if I push a DDNS update (I do this for my home firewall for remote access (dynamic IP) as well as rotating my DKIM keys), I expect the zone to get resigned and my slaves get NOTIFYs and pull it.  All of this happens.

Tonight though in about an hour, the serial number was incremented 12 times and NOTIFYs sent.  My home firewall is stable, and my DKIM rotation happens monthly via cron.  So there’s nothing in the logs regarding a DDNS update.

My question is - what could prompt these changes ?  I don’t see a pattern in time or anything else in the logs.

Also if there’s some debug I can toggle or increase I’m all ears…

Here’s the zone in question and it’s config stanza:

        zone "burn.net" IN {
                type master;
                file "burn.net.zone";
                update-policy {
                        grant vom.burn.net. zonesub A AAAA TXT;
                };
                key-directory "/var/cache/bind/keys";
                auto-dnssec maintain;
                inline-signing yes;
                sig-validity-interval 14 9;
        };

# grep -i burn.net /var/log/syslog | grep notifies
Sep  6 17:54:43 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082736)
Sep  6 17:57:41 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082737)
Sep  6 18:11:02 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082738)
Sep  6 18:16:42 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082739)
Sep  6 18:22:07 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082740)
Sep  6 18:28:51 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082741)
Sep  6 18:31:27 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082742)
Sep  6 18:40:07 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082743)
Sep  6 18:50:25 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082744)
Sep  6 18:55:03 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082745)
Sep  6 18:57:27 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082746)
Sep  6 18:58:24 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082747)
Sep  6 19:04:37 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082748)

Thanks.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190906/9bb41bb3/attachment.bin>

More information about the bind-users mailing list