[Pdns-users] DNSSEC Expiry with slaves
Pieter Lexis
pieter.lexis at powerdns.com
Thu Aug 24 07:28:12 UTC 2017
Hello Troy,
On Thu, 24 Aug 2017 12:05:48 +1000
Troy Kelly <troy.kelly at really.ai> wrote:
> We recently implemented DNSSEC, and then more recently had several of the
> RRSIG's expire - and those domains become unoperational.
>
> We use PowerDNS as a stealth master, with public nameservers supplied by
> one of our infrastructure providers.
>
> Where we don't make regular changes to the domain - we are going to keep
> experiencing this expiry issue.
>
> Is there some (cron job?) solution that we can implement to roll over and
> notify a domain before the RRSIG's expire?
>
> I had thought of a weekly pdnsutil increase-serial for every domain - but
> it seems like a real kludge of a solution.
You can use the default-soa-edit-signed configuration item[1] to set the default SOA-EDIT metadata value for signed domains.
The possible values and their outcomes are described on the documentation[2].
In short, the SOA-EDIT value edits the SOA serial after retrieving it from the datastore so slaves see a higher SOA when the RRSIG roils.
INCREMENT-WEEKS is a safe value that will add the number of weeks since the UNIX epoch to the SOA serial, but please read the whole page.
Good luck!
Pieter
1 - https://doc.powerdns.com/authoritative/settings.html#default-soa-edit-signed
2 - https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the Pdns-users
mailing list