[Pdns-users] RRSIG expired?

Pieter Lexis pieter.lexis at powerdns.com
Fri Feb 15 08:00:40 UTC 2019


Hi Martin,

On 2/14/19 2:17 PM, Martin Kellermann via Pdns-users wrote:
> I'm having exactly this same problem:  https://mailman.powerdns.com/pipermail/pdns-users/2017-April/024791.html
> First attempts with DNSSEC and PowerDNS and the RRSIGs were running into "expired" state.
> Only difference ist that secondary NS are not under my control and run by ISP.
> I did a "pdnsutil increase-serial" for the zone and everything is fine now. What am i missing, to get the automated refresh working?
> 
> Here is the requested debugging info for the example zone (ea-80.de):
> 
> /etc/powerdns/pdns.conf (most of it is still on defaults and marked out):
> # default-soa-edit-signed=

There's your problem, the SOA is not increased for signed zones. Please
the documentation on SOA-EDIT[1] and DNSSEC. If you don't set the
SOA-EDIT metadata for this one zone, you can use the
default-soa-edit-signed setting[2] to automatically increase SOA serials
for all signed zones.

Hope this helps!

Pieter

1 -
https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves
2 -
https://doc.powerdns.com/authoritative/settings.html#setting-default-soa-edit-signed

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


More information about the Pdns-users mailing list