dnssec not automatically updating on 1 server

[Matthijs Mekking]

First of all, I don't recommend copying the configuration and having two 
primaries signing the same zone. It would at least need some key 
management synchronizing the signing keys.

I see that the DNSKEY set from ns1 differs from ns2 (there are two more 
keys there, where do they come from?)

Please provide 'rndc dnssec -status' output for the zone on both servers.

Please provide the logs as Ondrej said. Also preferably everything on 
level 3 debug.

Best regards,

Matthijs

On 6/15/23 15:54, Michael Martinell via bind-users wrote:
> Anybody have any ideas on why my dnssec records don’t always 
> automatically update on my NS2 authoritative server?  On my NS1 
> authoritative server the records update without issue.
> 
> NS2 is an exact copy of NS1. We SCP all of the config files from the 
> first server to the second server and do “rndc reconfig && rndc reload 
> && systemctl restart bind” on both servers.
> 
> They are both Centos 7 running Bind 9.16.40.
> 
> When it fails, I get this message:
> 
> [root at ns2 ~]# delv itctel.com @ns2.itctel.com
> 
> ;; validating itctel.com/A: verify failed due to bad signature 
> (keyid=3593): RRSIG has expired
> 
> ;; validating itctel.com/A: no valid signature found
> 
> ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
> 
> ;; validating itctel.com/A: verify failed due to bad signature 
> (keyid=3593): RRSIG has expired
> 
> ;; validating itctel.com/A: no valid signature found
> 
> ;; RRSIG has expired resolving 'itctel.com/A/IN': 
> 2607:d600:9000:300:75:102:160:231#53
> 
> ;; resolution failed: RRSIG has expired
> 
> I have this policy in named.conf
> 
> dnssec-policy "itc-no-rotate" {
> 
>          keys {
> 
>                  ksk key-directory lifetime unlimited algorithm 13;
> 
>                  zsk key-directory lifetime unlimited algorithm 13;
> 
>          };
> 
>          nsec3param;
> 
> };
> 
> I have this set up in a custom includes file:
> 
> zone "itctel.com" in {
> 
>          type master;
> 
>          file "forward/itctel.com.zone";
> 
>          dnssec-policy itc-no-rotate;
> 
>          inline-signing yes;
> 
> };
> 
> No changes to my actual zone files. The inline signing takes care of 
> everything.
> 
> Here is a list of my files for this domain
> 
> /var/named/forward/itctel.com.zone      
> /var/named/forward/itctel.com.zone.jnl  
> /var/named/forward/itctel.com.zone.signed
> 
> /var/named/forward/itctel.com.zone.jbk   
> /var/named/forward/itctel.com.zone.new  
> /var/named/forward/itctel.com.zone.signed.jnl
> 
> *Michael Martinell*
> Network/Broadband Technician
> 
> *Interstate Telecommunications Coop., Inc.
> *312 4th Street West • Clear Lake, SD 57226
> Phone: (605) 874-8313
> michael.martinell at itccoop.com
> www.itc-web.com
> 
>