[Pdns-users] RRSIG expired?

Pieter Lexis pieter.lexis at powerdns.com
Tue Apr 4 07:46:04 UTC 2017

Hello Charles,

On Tue, 4 Apr 2017 01:11:56 -0400
Charles Sprickman <spork at bway.net> wrote:

> Please bear with me, this is my first attempt at working with DNSSEC and PowerDNS, and I’m working it out on a personal domain.  I have three servers setup - the master is running PowerDNS 4.0.3, both slaves are running nsd 4.1.14.  When I first set this up, everything seemed to work fine and the setup passed the dnsviz.net tool.
> Today I noticed that I was not able to resolve this domain from home, where unbound runs as a validating, caching server.  After some digging, dnsviz told me that my RRSIGs were “expired” - both from the slaves and the master.  After much random poking around, I could not quite figure out how to tell PowerDNS to periodically refresh the signed zone(s).  After manually just bumping the serial with "pdnsutil increase-serial example.com”, the zone started validating properly at dnsviz.net and at home.  Is this supposed to be automated?  What have I missed?

This is automated indeed, rolling the signatures happens in the daemon itself automatically.
To debug this, were gonna need some more information. Could you share the domain name, your config (without passwords), the output of `pdnsutil show-zone YOURZONE` and the responses from all machines to `dig soa +dnssec +norec @MACHINE YOURZONE`?

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list