Primary zone not fully maintained by BIND
Sandro
lists at penguinpee.nl
Mon May 23 13:36:18 UTC 2022
Hello,
I was notified this morning by my registrar, that validation of my zone
records failed. Upon inspection, it turned out that only the SOA record
was still up to date. A AAAA and MX al returned RRSIG expired.
I checked my logs and did not see any warning signs. I also tried to get
the zone re-signed manually using 'rndc sign'. That either didn't work
or I wasn't patient enough. I ended up removing all DNSSEC related
entries from the zone file, increasing the serial and restarted named.
Upstream servers already stopped answering queries, so I was in a bit of
a hurry getting this fixed.
Since I want to avoid this happening again, I would like to understand
what went wrong. My setup is as follows for the zone in question:
options {
dnssec-validation yes;
dnssec-policy default;
};
view "internal" {
match-clients { local; };
recursion no;
allow-update { key ddns-key.penguinpee.nl; };
zone "penguinpee.nl" {
type primary;
file "dynamic/penguinpee.nl.internal.zone";
};
};
view "external" {
match-clients { any; };
recursion no;
zone "penguinpee.nl" {
type primary;
file "master/penguinpee.nl.zone";
allow-query { any; };
allow-transfer { transip; };
notify no;
};
};
Using delv, the internal view of the zone fully validated, for SOA, A,
AAAA etc. However in the external view delv told me 'RRSIG has expired'
for all records but SOA.
Looking at the zone file, I indeed saw expired entries like:
RRSIG MX 13 2 300 (
20220501085742 20220421164308 56132 penguinpee.nl.
FcrfTtdZDxO1dmarFgvbb+jAM5dT8EOrqGdOywKjQqjL
dcSHfaFuR8qP5PyyrCW6UOqMxWRjelPqBQBaBIY2aA== )
I thought that with 'dnssec-policy default' BIND would take care of it.
Upon updating the zone, increase the serial number and tell named with
'rndc reload zone'. What am I missing?
-- Sandro
More information about the bind-users
mailing list