dnssec not automatically updating on 1 server
Matthijs Mekking
matthijs at isc.org
Thu Jun 15 14:09:20 UTC 2023
First of all, I don't recommend copying the configuration and having two
primaries signing the same zone. It would at least need some key
management synchronizing the signing keys.
I see that the DNSKEY set from ns1 differs from ns2 (there are two more
keys there, where do they come from?)
Please provide 'rndc dnssec -status' output for the zone on both servers.
Please provide the logs as Ondrej said. Also preferably everything on
level 3 debug.
Best regards,
Matthijs
On 6/15/23 15:54, Michael Martinell via bind-users wrote:
> Anybody have any ideas on why my dnssec records don’t always
> automatically update on my NS2 authoritative server? On my NS1
> authoritative server the records update without issue.
>
> NS2 is an exact copy of NS1. We SCP all of the config files from the
> first server to the second server and do “rndc reconfig && rndc reload
> && systemctl restart bind” on both servers.
>
> They are both Centos 7 running Bind 9.16.40.
>
> When it fails, I get this message:
>
> [root at ns2 ~]# delv itctel.com @ns2.itctel.com
>
> ;; validating itctel.com/A: verify failed due to bad signature
> (keyid=3593): RRSIG has expired
>
> ;; validating itctel.com/A: no valid signature found
>
> ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
>
> ;; validating itctel.com/A: verify failed due to bad signature
> (keyid=3593): RRSIG has expired
>
> ;; validating itctel.com/A: no valid signature found
>
> ;; RRSIG has expired resolving 'itctel.com/A/IN':
> 2607:d600:9000:300:75:102:160:231#53
>
> ;; resolution failed: RRSIG has expired
>
> I have this policy in named.conf
>
> dnssec-policy "itc-no-rotate" {
>
> keys {
>
> ksk key-directory lifetime unlimited algorithm 13;
>
> zsk key-directory lifetime unlimited algorithm 13;
>
> };
>
> nsec3param;
>
> };
>
> I have this set up in a custom includes file:
>
> zone "itctel.com" in {
>
> type master;
>
> file "forward/itctel.com.zone";
>
> dnssec-policy itc-no-rotate;
>
> inline-signing yes;
>
> };
>
> No changes to my actual zone files. The inline signing takes care of
> everything.
>
> Here is a list of my files for this domain
>
> /var/named/forward/itctel.com.zone
> /var/named/forward/itctel.com.zone.jnl
> /var/named/forward/itctel.com.zone.signed
>
> /var/named/forward/itctel.com.zone.jbk
> /var/named/forward/itctel.com.zone.new
> /var/named/forward/itctel.com.zone.signed.jnl
>
> *Michael Martinell*
> Network/Broadband Technician
>
> *Interstate Telecommunications Coop., Inc.
> *312 4th Street West • Clear Lake, SD 57226
> Phone: (605) 874-8313
> michael.martinell at itccoop.com
> www.itc-web.com
>
>
More information about the bind-users
mailing list