[Pdns-users] RRSIG expired?
spork at bway.net
Tue Apr 4 05:11:56 UTC 2017
Please bear with me, this is my first attempt at working with DNSSEC and PowerDNS, and I’m working it out on a personal domain. I have three servers setup - the master is running PowerDNS 4.0.3, both slaves are running nsd 4.1.14. When I first set this up, everything seemed to work fine and the setup passed the dnsviz.net tool.
Today I noticed that I was not able to resolve this domain from home, where unbound runs as a validating, caching server. After some digging, dnsviz told me that my RRSIGs were “expired” - both from the slaves and the master. After much random poking around, I could not quite figure out how to tell PowerDNS to periodically refresh the signed zone(s). After manually just bumping the serial with "pdnsutil increase-serial example.com”, the zone started validating properly at dnsviz.net and at home. Is this supposed to be automated? What have I missed?
My original setup followed the “from an existing powerdns installation” here: https://doc.powerdns.com/md/authoritative/dnssec/#from-an-existing-powerdns-installation
More information about the Pdns-users