dnssec not automatically updating on 1 server

Michael Martinell michael.martinell at itccoop.com
Thu Jun 15 13:54:38 UTC 2023 

Anybody have any ideas on why my dnssec records don't always automatically update on my NS2 authoritative server?  On my NS1 authoritative server the records update without issue.
NS2 is an exact copy of NS1. We SCP all of the config files from the first server to the second server and do "rndc reconfig && rndc reload && systemctl restart bind" on both servers.
They are both Centos 7 running Bind 9.16.40.

When it fails, I get this message:
[root at ns2 ~]# delv itctel.com @ns2.itctel.com
;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN': 2607:d600:9000:300:75:102:160:231#53
;; resolution failed: RRSIG has expired


I have this policy in named.conf
dnssec-policy "itc-no-rotate" {
        keys {
                ksk key-directory lifetime unlimited algorithm 13;
                zsk key-directory lifetime unlimited algorithm 13;
        };
        nsec3param;
};

I have this set up in a custom includes file:
zone "itctel.com" in {
        type master;
        file "forward/itctel.com.zone";
        dnssec-policy itc-no-rotate;
        inline-signing yes;
};

No changes to my actual zone files. The inline signing takes care of everything.

Here is a list of my files for this domain
/var/named/forward/itctel.com.zone      /var/named/forward/itctel.com.zone.jnl  /var/named/forward/itctel.com.zone.signed
/var/named/forward/itctel.com.zone.jbk   /var/named/forward/itctel.com.zone.new  /var/named/forward/itctel.com.zone.signed.jnl




Michael Martinell
Network/Broadband Technician

Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martinell at itccoop.com
www.itc-web.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230615/6a18d959/attachment.htm>

More information about the bind-users mailing list