[Pdns-users] RRSIG expired?

Charles Sprickman spork at bway.net
Tue Apr 4 05:11:56 UTC 2017

Hi all,

Please bear with me, this is my first attempt at working with DNSSEC and PowerDNS, and I’m working it out on a personal domain.  I have three servers setup - the master is running PowerDNS 4.0.3, both slaves are running nsd 4.1.14.  When I first set this up, everything seemed to work fine and the setup passed the dnsviz.net tool.

Today I noticed that I was not able to resolve this domain from home, where unbound runs as a validating, caching server.  After some digging, dnsviz told me that my RRSIGs were “expired” - both from the slaves and the master.  After much random poking around, I could not quite figure out how to tell PowerDNS to periodically refresh the signed zone(s).  After manually just bumping the serial with "pdnsutil increase-serial example.com”, the zone started validating properly at dnsviz.net and at home.  Is this supposed to be automated?  What have I missed?

My original setup followed the “from an existing powerdns installation” here: https://doc.powerdns.com/md/authoritative/dnssec/#from-an-existing-powerdns-installation



More information about the Pdns-users mailing list