dnssec not automatically updating on 1 server

Ondřej Surý ondrej at isc.org
Thu Jun 15 13:59:24 UTC 2023 

What does the logs say? Have you checked them?

Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 15. 6. 2023, at 15:54, Michael Martinell via bind-users <bind-users at lists.isc.org> wrote:
> 
> Anybody have any ideas on why my dnssec records don’t always automatically update on my NS2 authoritative server?  On my NS1 authoritative server the records update without issue.
> NS2 is an exact copy of NS1. We SCP all of the config files from the first server to the second server and do “rndc reconfig && rndc reload && systemctl restart bind” on both servers.
> They are both Centos 7 running Bind 9.16.40.
>  When it fails, I get this message:
> [root at ns2 ~]# delv itctel.com @ns2.itctel.com
> ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired
> ;; validating itctel.com/A: no valid signature found
> ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
> ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired
> ;; validating itctel.com/A: no valid signature found
> ;; RRSIG has expired resolving 'itctel.com/A/IN': 2607:d600:9000:300:75:102:160:231#53
> ;; resolution failed: RRSIG has expired
>   I have this policy in named.conf
> dnssec-policy "itc-no-rotate" {
>         keys {
>                 ksk key-directory lifetime unlimited algorithm 13;
>                 zsk key-directory lifetime unlimited algorithm 13;
>         };
>         nsec3param;
> };
>  I have this set up in a custom includes file:
> zone "itctel.com" in {
>         type master;
>         file "forward/itctel.com.zone";
>         dnssec-policy itc-no-rotate;
>         inline-signing yes;
> };
>  No changes to my actual zone files. The inline signing takes care of everything.
>  Here is a list of my files for this domain
> /var/named/forward/itctel.com.zone      /var/named/forward/itctel.com.zone.jnl  /var/named/forward/itctel.com.zone.signed
> /var/named/forward/itctel.com.zone.jbk   /var/named/forward/itctel.com.zone.new  /var/named/forward/itctel.com.zone.signed.jnl
>    Michael Martinell
> Network/Broadband Technician
> 
> Interstate Telecommunications Coop., Inc.
> 312 4th Street West • Clear Lake, SD 57226
> Phone: (605) 874-8313
> michael.martinell at itccoop.com
> www.itc-web.com
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list