[Pdns-users] DNSSEC Expiry with slaves

Pieter Lexis pieter.lexis at powerdns.com
Thu Aug 24 07:28:12 UTC 2017

Hello Troy,

On Thu, 24 Aug 2017 12:05:48 +1000
Troy Kelly <troy.kelly at really.ai> wrote:

> We recently implemented DNSSEC, and then more recently had several of the
> RRSIG's expire - and those domains become unoperational.
> We use PowerDNS as a stealth master, with public nameservers supplied by
> one of our infrastructure providers.
> Where we don't make regular changes to the domain - we are going to keep
> experiencing this expiry issue.
> Is there some (cron job?) solution that we can implement to roll over and
> notify a domain before the RRSIG's expire?
> I had thought of a weekly pdnsutil increase-serial for every domain - but
> it seems like a real kludge of a solution.

You can use the default-soa-edit-signed configuration item[1] to set the default SOA-EDIT metadata value for signed domains.
The possible values and their outcomes are described on the documentation[2].
In short, the SOA-EDIT value edits the SOA serial after retrieving it from the datastore so slaves see a higher SOA when the RRSIG roils.
INCREMENT-WEEKS is a safe value that will add the number of weeks since the UNIX epoch to the SOA serial, but please read the whole page.

Good luck!


1 - https://doc.powerdns.com/authoritative/settings.html#default-soa-edit-signed
2 - https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list