[Pdns-users] RRSIG expired?

Martin Kellermann kellermann at sk-datentechnik.com
Thu Feb 14 13:17:16 UTC 2019


Hi,

I'm having exactly this same problem:  https://mailman.powerdns.com/pipermail/pdns-users/2017-April/024791.html
First attempts with DNSSEC and PowerDNS and the RRSIGs were running into "expired" state.
Only difference ist that secondary NS are not under my control and run by ISP.
I did a "pdnsutil increase-serial" for the zone and everything is fine now. What am i missing, to get the automated refresh working?

Here is the requested debugging info for the example zone (ea-80.de):

/etc/powerdns/pdns.conf (most of it is still on defaults and marked out):
# 8bit-dns=no
allow-axfr-ips=<list of allowed IPs>
# allow-dnsupdate-from=127.0.0.0/8,::1
# allow-notify-from=0.0.0.0/0,::/0
# allow-unsigned-notify=yes
# allow-unsigned-supermaster=yes
# also-notify=
# any-to-tcp=yes
api=yes
api-key=###
# api-logfile=/var/log/pdns.log
# api-readonly=no
# axfr-lower-serial=no
# cache-ttl=20
# carbon-interval=30
# carbon-ourname=
# carbon-server=
# chroot=
# config-dir=/etc/powerdns
# config-name=
# control-console=no
# daemon=no
# default-ksk-algorithm=ecdsa256
# default-ksk-size=0
# default-soa-edit=
# default-soa-edit-signed=
# default-soa-mail=
# default-soa-name=a.misconfigured.powerdns.server
# default-ttl=3600
# default-zsk-algorithm=
# default-zsk-size=0
# direct-dnskey=no
# disable-axfr=no
# disable-axfr-rectify=no
# disable-syslog=no
# disable-tcp=no
# distributor-threads=3
# dname-processing=no
# dnssec-key-cache-ttl=30
# dnsupdate=no
# do-ipv6-additional-processing=yes
# domain-metadata-cache-ttl=60
# edns-subnet-processing=no
# entropy-source=/dev/urandom
# expand-alias=no
# forward-dnsupdate=yes
# forward-notify=
# guardian=no
include-dir=/etc/powerdns/pdns.d 
=> content of /etc/powerdns/pdns.d/pdns.gpgsql.conf:
   launch+=gpgsql
   gpgsql-host=localhost
   gpgsql-port=###
   gpgsql-dbname=###
   gpgsql-user=###
   gpgsql-password=###
   gpgsql-dnssec=yes
launch=
# load-modules=
local-address=212.185.173.3
# local-address-nonexist-fail=yes
local-ipv6=2003:47:805b::3
# local-ipv6-nonexist-fail=yes
# local-port=53
# log-dns-details=no
# log-dns-queries=no
# log-timestamp=yes
# logging-facility=
# loglevel=4
# lua-axfr-script=
# lua-dnsupdate-policy-script=
# lua-prequery-script=
master=yes
# max-cache-entries=1000000
# max-ent-entries=100000
# max-nsec3-iterations=500
# max-packet-cache-entries=1000000
# max-queue-length=5000
# max-signature-cache-entries=
# max-tcp-connection-duration=0
# max-tcp-connections=20
# max-tcp-connections-per-client=0
# max-tcp-transactions-per-conn=0
# negquery-cache-ttl=60
# no-shuffle=off
# non-local-bind=no
# only-notify=0.0.0.0/0,::/0
# out-of-zone-additional-processing=yes
# outgoing-axfr-expand-alias=no
# overload-queue-length=0
# prevent-self-notification=yes
# query-cache-ttl=20
# query-local-address=0.0.0.0
# query-local-address6=::
# query-logging=no
# queue-limit=1500
# receiver-threads=1
# resolver=no
# retrieval-threads=2
# reuseport=no
# security-poll-suffix=secpoll.powerdns.com.
# server-id=
setgid=pdns
setuid=pdns
# signing-threads=3
# slave=no
# slave-cycle-interval=60
# slave-renotify=no
# soa-expire-default=604800
# soa-minimum-ttl=3600
# soa-refresh-default=10800
# soa-retry-default=3600
# socket-dir=
# tcp-control-address=
# tcp-control-port=53000
# tcp-control-range=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10
# tcp-control-secret=
# tcp-fast-open=0
# tcp-idle-timeout=5
# traceback-handler=yes
# trusted-notification-proxy=
# udp-truncation-threshold=1680
# version-string=full
webserver=yes
webserver-address=127.0.0.1
webserver-allow-from=<list of allowed IPs>
webserver-password=xxx
webserver-port=xxx
# webserver-print-arguments=no
# write-pid=yes
# xfr-max-received-mbytes=100


#dig soa +dnssec +norec @ns.sk-datentechnik.com ea-80.de
;; ANSWER SECTION:
ea-80.de.               86400   IN      RRSIG   SOA 13 2 86400 20190228000000 20190207000000 18574 ea-80.de. XEY+HRlGO+c5OYktwrVOLFQ6JoEuGrPiOesOqJ/OA/sozEvCveSM3tKV SIaL/feAUlo2/bMum4Ub3ON6JkLeiQ==
ea-80.de.               86400   IN      SOA     ns.sk-datentechnik.com. technik.sk-datentechnik.com. 2019020602 28800 7200 604800 86400

#dig soa +dnssec +norec @pns.dtag.de ea-80.de
;; ANSWER SECTION:
ea-80.de.               86400   IN      SOA     ns.sk-datentechnik.com. technik.sk-datentechnik.com. 2019020602 28800 7200 604800 86400
ea-80.de.               86400   IN      RRSIG   SOA 13 2 86400 20190228000000 20190207000000 18574 ea-80.de. XEY+HRlGO+c5OYktwrVOLFQ6JoEuGrPiOesOqJ/OA/sozEvCveSM3tKV SIaL/feAUlo2/bMum4Ub3ON6JkLeiQ==

#dig soa +dnssec +norec @secondary006.dtag.net ea-80.de
;; ANSWER SECTION:
ea-80.de.               86400   IN      SOA     ns.sk-datentechnik.com. technik.sk-datentechnik.com. 2019020602 28800 7200 604800 86400
ea-80.de.               86400   IN      RRSIG   SOA 13 2 86400 20190228000000 20190207000000 18574 ea-80.de. XEY+HRlGO+c5OYktwrVOLFQ6JoEuGrPiOesOqJ/OA/sozEvCveSM3tKV SIaL/feAUlo2/bMum4Ub3ON6JkLeiQ==

#pdnsutil show-zone ea-80.de
This zone is owned by sk
This is a Master zone
Last SOA serial number we notified: 2019020602 == 2019020602 (serial in the database)
Metadata items:
        API-RECTIFY     1
        SOA-EDIT-API    INCEPTION-INCREMENT
Zone has NSEC semantics
keys:
ID = 10 (CSK), flags = 257, tag = 18574, algo = 13, bits = 256    Active ( ECDSAP256SHA256 )
CSK DNSKEY = ea-80.de. IN DNSKEY 257 3 13 FG86tw8NI6Z+MIngWmQOacDTcQqmTcgFK6vhIYfvtC1hzbDh5wZ1LnYW/KC0lHBIibia0bRzjKnJLnBnJm6chw== ; ( ECDSAP256SHA256 )
DS = ea-80.de. IN DS 18574 13 1 4ab182164c8aa58bb2fb8e27f9d855edf1c28545 ; ( SHA1 digest )
DS = ea-80.de. IN DS 18574 13 2 25f7a3316091e448ad46d9fa9485d6fe9ce851cb6027cddb42e0fbab0fb8d310 ; ( SHA256 digest )
DS = ea-80.de. IN DS 18574 13 4 46ce9921de771ce7445fb148814ff806b021680996395c758be9828c1fa375a39f6d33da74027564d170c25b48900ac8 ; ( SHA-384 digest )

Any help would be great!
Also, if there are other mistakes in my config feel free to show me the right way...

Thanks.

Regards

MK


More information about the Pdns-users mailing list