[Pdns-users] RRSIG expired?
Martin Kellermann
kellermann at sk-datentechnik.com
Fri Feb 15 08:45:02 UTC 2019
>Hi Martin,
>
>On 2/14/19 2:17 PM, Martin Kellermann via Pdns-users wrote:
>> I'm having exactly this same problem: https://mailman.powerdns.com/pipermail/pdns-users/2017-April/024791.html
>> First attempts with DNSSEC and PowerDNS and the RRSIGs were running into "expired" state.
>> Only difference ist that secondary NS are not under my control and run by ISP.
>> I did a "pdnsutil increase-serial" for the zone and everything is fine now. What am i missing, to get the automated refresh working?
>>
>> Here is the requested debugging info for the example zone (ea-80.de):
>>
>> /etc/powerdns/pdns.conf (most of it is still on defaults and marked out):
>> # default-soa-edit-signed=
>
>There's your problem, the SOA is not increased for signed zones. Please
>the documentation on SOA-EDIT[1] and DNSSEC. If you don't set the
>SOA-EDIT metadata for this one zone, you can use the
>default-soa-edit-signed setting[2] to automatically increase SOA serials
>for all signed zones.
>
>Hope this helps!
>
>Pieter
>
>1 -
>https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves
>2 -
>https://doc.powerdns.com/authoritative/settings.html#setting-default-soa-edit-signed
>
>--
>Pieter Lexis
Hi Pieter,
thank you very much. I thought this would be automated, when enabling DNSSEC for a zone, sorry.
I already had SOA-EDIT-API metadata (INCEPTION-INCREMENT ) for the zone in my database.
Just to clear this out again - i have two choices:
Add another metadata record of kind "SOA-EDIT" to the database or set "default-soa-edit-signed" in pdns.conf.
Correct?
Regards.
MK
More information about the Pdns-users
mailing list