[Pdns-users] DNSSEC signature expirations

Mike mike+lists at yourtownonline.com
Fri Jun 19 13:34:34 UTC 2020


    I have dnssec set up for my domains and powerdns made it a dead
simple. Its been operating without issue for quite a while now without
problem, but then I had a strange network issue and one of my slave
servers couldn't get fresh AXFR from the hidden master, resulting in
inconsistent data on one of the four servers for my domains, resulting
in a periodic dnssec validation failure that was a bit difficult to
troubleshoot. I am now adding some more automated testing to my internal
systems monitoring regime so that I can be notified in the future if any
domain approaches the signature expiration date. But, powerdns seems to
assign have relatively short signature expiration times, and I want to
understand the process a bit more. It seems like powerdns just always
gives a 2 week expiration and doesn't refresh or update that until it
has like a week left before expiration. I caught the bit about Thursdays
etc and I get that. But, I might want something different... paypal.com
for example, seems to always be fresh at 30 days for example. I likely
would want a longer expiration than the powerdns default because, if
there is a problem, maybe I need some time to fix underlying issues. Or
maybe I just like the idea of refreshing the signature once per day. I
do trust the developers to know way more than I, but I'd love to know
where these knobs are and how to tweak them if possible.



More information about the Pdns-users mailing list