Primary zone not fully maintained by BIND

Mon, 23 May 2022 06:37:09 -0700 

Hello,
I was notified this morning by my registrar, that validation of my zone records failed. Upon inspection, it turned out that only the SOA record was still up to date. A AAAA and MX al returned RRSIG expired. 


I checked my logs and did not see any warning signs. I also tried to get 
the zone re-signed manually using 'rndc sign'. That either didn't work 
or I wasn't patient enough. I ended up removing all DNSSEC related 
entries from the zone file, increasing the serial and restarted named. 
Upstream servers already stopped answering queries, so I was in a bit of 
a hurry getting this fixed.



Since I want to avoid this happening again, I would like to understand 
what went wrong. My setup is as follows for the zone in question:


options {

    dnssec-validation yes;
    dnssec-policy default;

};

view "internal" {

    match-clients { local; };
    recursion       no;
    allow-update    { key ddns-key.penguinpee.nl; };

    zone "penguinpee.nl" {
        type    primary;
        file    "dynamic/penguinpee.nl.internal.zone";
    };
};

view "external" {

    match-clients   { any; };
    recursion       no;

    zone "penguinpee.nl" {
        type            primary;
        file            "master/penguinpee.nl.zone";
        allow-query     { any; };
        allow-transfer  { transip; };
        notify          no;
    };
};


Using delv, the internal view of the zone fully validated, for SOA, A, 
AAAA etc. However in the external view delv told me 'RRSIG has expired' 
for all records but SOA.


Looking at the zone file, I indeed saw expired entries like:

RRSIG   MX 13 2 300 (
                20220501085742 20220421164308 56132 penguinpee.nl.
                FcrfTtdZDxO1dmarFgvbb+jAM5dT8EOrqGdOywKjQqjL
                dcSHfaFuR8qP5PyyrCW6UOqMxWRjelPqBQBaBIY2aA== )


I thought that with 'dnssec-policy default' BIND would take care of it. 
Upon updating the zone, increase the serial number and tell named with 
'rndc reload zone'. What am I missing?


-- Sandro
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to