[Pdns-users] DNSSEC Expiry with slaves
Troy Kelly
troy.kelly at really.ai
Fri Sep 8 06:40:15 UTC 2017
Pieter,
Thank-you for the advice!
Apologies for the delay responding - I was waiting to see how things would
play out.
Unfortunately - we still had domains expire with the settings below
configured.
#################################
# default-soa-edit Default SOA-EDIT value
#
# default-soa-edit=
default-soa-edit=INCEPTION-EPOCH
#################################
# default-soa-edit-signed Default SOA-EDIT value for signed zones
#
# default-soa-edit-signed=
default-soa-edit-signed=INCEPTION-EPOCH
Am I missing something else that I need to be doing to trigger a rollover +
increment automatically?
Thanks in advance,
Troy
<https://really.ai/>
Troy Kelly
Chief Executive Officer
180 Sansome Street, Level 2, San Francisco, CA 94104
<https://www.google.com.au/maps/place/Really+Really,+Inc./@37.791917,-122.4006616,15z/data=!4m5!3m4!1s0x0:0x7dc9cf280bcafff3!8m2!3d37.791917!4d-122.4006616>
p. +1-650-215-6253 | p. +61-2-8039-4567 | e. troy.kelly at really.ai
On 24 August 2017 at 17:28, Pieter Lexis <pieter.lexis at powerdns.com> wrote:
> Hello Troy,
>
> On Thu, 24 Aug 2017 12:05:48 +1000
> Troy Kelly <troy.kelly at really.ai> wrote:
>
> > We recently implemented DNSSEC, and then more recently had several of the
> > RRSIG's expire - and those domains become unoperational.
> >
> > We use PowerDNS as a stealth master, with public nameservers supplied by
> > one of our infrastructure providers.
> >
> > Where we don't make regular changes to the domain - we are going to keep
> > experiencing this expiry issue.
> >
> > Is there some (cron job?) solution that we can implement to roll over and
> > notify a domain before the RRSIG's expire?
> >
> > I had thought of a weekly pdnsutil increase-serial for every domain - but
> > it seems like a real kludge of a solution.
>
> You can use the default-soa-edit-signed configuration item[1] to set the
> default SOA-EDIT metadata value for signed domains.
> The possible values and their outcomes are described on the
> documentation[2].
> In short, the SOA-EDIT value edits the SOA serial after retrieving it from
> the datastore so slaves see a higher SOA when the RRSIG roils.
> INCREMENT-WEEKS is a safe value that will add the number of weeks since
> the UNIX epoch to the SOA serial, but please read the whole page.
>
> Good luck!
>
> Pieter
>
>
> 1 - https://doc.powerdns.com/authoritative/settings.html#
> default-soa-edit-signed
> 2 - https://doc.powerdns.com/authoritative/dnssec/
> operational.html#soa-edit-ensure-signature-freshness-on-slaves
>
> --
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
--
This email and any attachments may contain confidential or privileged
information and may be protected by copyright. You must not use or disclose
them other than for the purposes for which they were supplied. The
confidentiality and privilege attached to this message and attachment is
not waived by reason of mistaken delivery to you. If you are not the
intended recipient, you must not use, disclose, retain, forward or
reproduce this message or any attachments. If you receive this message in
error please notify the sender by return email or telephone, and destroy
and delete all copies. Really Really, Inc. does not accept any
responsibility for any loss or damage that may result from reliance on, or
use of, any information contained in this email and/or attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20170908/ebe243ce/attachment-0001.html>
More information about the Pdns-users
mailing list