Hi Randy, Perhaps during the DDoS, the BIND secondary received a corrupt IXFR that added a new RRSIG, but didn't delete the old one? If that's the case, the old RRSIG will persist until you force AXFR; it's the only way to overwrite the zone fully at the secondary. You can set "provide-ixfr: no" for this zone, and reload the configuration and then re-sign the zone with "knotc zone-sign <zone>". Once the secondary is corrected, you can remove the "provide-ixfr" option to go back to the default of providing IXFR.
You should consider separating the signing and authoritative functions. Your signer should only sign the zones, and provide XFR to permitted secondaries. It's not a good idea to expose a signer directly to the Internet. Regards, Anand On Fri, 14 Jun 2024 at 20:13, Randy Bush <[email protected]> wrote: > we may be narrowing it down. > > knot returns one RRSIG, bind two, see appended. > > my guess is that, if this was generally true, we would have heard about > it before. so maybe it is something in how we're configured which > tickles bind secondaries the wrong way. still investigating. > > randy > > ryuu.rg.net:/Users/randy> dig +vc +dnssec +norec -t dnskey psg.com @ > rip.psg.com > > ; <<>> DiG 9.10.6 <<>> +vc +dnssec +norec -t dnskey psg.com @ > rip.psg.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18969 > ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;psg.com. IN DNSKEY > > ;; ANSWER SECTION: > psg.com. 86400 IN DNSKEY 256 3 8 > AwEAAZfG8Y++ZmGXwa1sgmHpruUSPljDwMR2pY5bUjjOaJNyUBeLlEAP > Fyya3MNAKryW26yTxFmwYmyt0UtXyc4L7Ib5/J/Ew+putYpjRfslwPlS > 5TWblvnbiqGcY/ZMuGrtLeZkvK/o39vXM+Hy5y3xbG4Qu4ySiuW03xMM > pN50cr8+VcM2RDQn6/W6kESdiY8WaXyD1DT9eIgIyi5zTaOfhSB7u/g7 > H+7LltCAiCZIcIF08CGbS1VEh0YUyw3Th1I6jiQmYeGG6OSGaci5SkjV > fGTDpHrJOjFlCnUVfg+cYc1YPEojbmo90qO/nG+VB5I+qDYtkU1IR8EB +qXNi7ZbBt8= > psg.com. 86400 IN DNSKEY 257 3 8 > AwEAAaCgMhvfatdo1jeqr0AsHJY+QB/QVv2O+9W62Sfj+xKCbV5nGgvu > XqPq2A8tXKT1lG1YF0pe3/ABH2iYNZs7v/a6QAb1wEAYasNz6ZlvRca2 > bDs6KXz/n2B/Oeb2JoWBJ6OqdNtzkDl6CYEOkQoDWRnbR9jlyINOQ0mN > xfTu2wbXMngSIz78yTadpieyuG/B/TsLQ1SlTUSf436G5NMdxzQ8r7j4 > 5nW7mEORzvvk5Z1mGtfX8v8taw4qFfoIlaf226N06lZ90jpnEHTOGSTA > T/ii5WVqjBZGFWFYWrNcHR51zHm4QAGKlZ5hzr6lrGZaXqgY7jE3GaOc 86mZhSlyYIs= > psg.com. 86400 IN RRSIG DNSKEY 8 2 86400 > 20240627155330 20240613142330 53567 psg.com. > JYhwpuCx+3YcZuumCP2g/1iGCqmIKxR1h3FYP8GdwIjY2i8OZ/T91O5S > ml+jXmjfvhmb2nZ5+cV4i5KtUjUsS6otrpm4nxuNxUQwDZBxV1VEwFJc > frS7TaOC+BrsKndJJIVGQ1HftCHGWSIiE/JEeEgeMrRXVLdCKKzADC7e > oTYPOzf1piSO7rbHN4pGirIqTfBMci6xpc8BOlgc17DSB3aZJj5p3nEt > Ie/h2goOwh3hue0oh6nuarTnlJhyiKOSBCcSrCjTl1Gfzq9sKyflEA2N > NL0lJepqPkyf2kG+HkwGBKmrGlOeUDhNwR9qVwIvd/g/dtOscHnwTOWJ nuf7RQ== > > ;; Query time: 21 msec > ;; SERVER: 2001:418:1::39#53(2001:418:1::39) > ;; WHEN: Fri Jun 14 11:01:44 PDT 2024 > ;; MSG SIZE rcvd: 883 > > > ryuu.rg.net:/Users/randy> dig +vc +dnssec +norec -t dnskey psg.com @ > nlns.globnix.net > > ; <<>> DiG 9.10.6 <<>> +vc +dnssec +norec -t dnskey psg.com @ > nlns.globnix.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9580 > ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;psg.com. IN DNSKEY > > ;; ANSWER SECTION: > psg.com. 86400 IN DNSKEY 256 3 8 > AwEAAZfG8Y++ZmGXwa1sgmHpruUSPljDwMR2pY5bUjjOaJNyUBeLlEAP > Fyya3MNAKryW26yTxFmwYmyt0UtXyc4L7Ib5/J/Ew+putYpjRfslwPlS > 5TWblvnbiqGcY/ZMuGrtLeZkvK/o39vXM+Hy5y3xbG4Qu4ySiuW03xMM > pN50cr8+VcM2RDQn6/W6kESdiY8WaXyD1DT9eIgIyi5zTaOfhSB7u/g7 > H+7LltCAiCZIcIF08CGbS1VEh0YUyw3Th1I6jiQmYeGG6OSGaci5SkjV > fGTDpHrJOjFlCnUVfg+cYc1YPEojbmo90qO/nG+VB5I+qDYtkU1IR8EB +qXNi7ZbBt8= > psg.com. 86400 IN DNSKEY 257 3 8 > AwEAAaCgMhvfatdo1jeqr0AsHJY+QB/QVv2O+9W62Sfj+xKCbV5nGgvu > XqPq2A8tXKT1lG1YF0pe3/ABH2iYNZs7v/a6QAb1wEAYasNz6ZlvRca2 > bDs6KXz/n2B/Oeb2JoWBJ6OqdNtzkDl6CYEOkQoDWRnbR9jlyINOQ0mN > xfTu2wbXMngSIz78yTadpieyuG/B/TsLQ1SlTUSf436G5NMdxzQ8r7j4 > 5nW7mEORzvvk5Z1mGtfX8v8taw4qFfoIlaf226N06lZ90jpnEHTOGSTA > T/ii5WVqjBZGFWFYWrNcHR51zHm4QAGKlZ5hzr6lrGZaXqgY7jE3GaOc 86mZhSlyYIs= > psg.com. 86400 IN RRSIG DNSKEY 8 2 86400 > 20240626012025 20240611235025 53567 psg.com. > G37kmJujQDabkfi9uQkgbaYfSm3f7D8Z7ulaH+a8MOaE23s1ZX0MMUkF > gaZ6ESgJechUXt7mWRnuLQtp+G5GhnQz80NO1ZUba3EPU4ITAd2MRykn > p3gM1dy82eGojjHDhLNIdE1FPExhmbluQx1WpCJPPCRc+oy0eAGfoLtu > cPFhBH1s31EVvN4wXF1x8LJ3GQz7kn7BehMDFHEA4lAX9L5zRsLmYX6J > 5wWH9HZ2pCLkqzYR78/9iqmmmiUlEjfW0j0egjYCk1Fxm2GSpEMRy0q2 > s+cChVRpg/WvHH2ORjGf9MyAFKyu7k71F0R/vncbU5mkdymR23UEvILt 1xuAYQ== > psg.com. 86400 IN RRSIG DNSKEY 8 2 86400 > 20240627155330 20240613142330 53567 psg.com. > JYhwpuCx+3YcZuumCP2g/1iGCqmIKxR1h3FYP8GdwIjY2i8OZ/T91O5S > ml+jXmjfvhmb2nZ5+cV4i5KtUjUsS6otrpm4nxuNxUQwDZBxV1VEwFJc > frS7TaOC+BrsKndJJIVGQ1HftCHGWSIiE/JEeEgeMrRXVLdCKKzADC7e > oTYPOzf1piSO7rbHN4pGirIqTfBMci6xpc8BOlgc17DSB3aZJj5p3nEt > Ie/h2goOwh3hue0oh6nuarTnlJhyiKOSBCcSrCjTl1Gfzq9sKyflEA2N > NL0lJepqPkyf2kG+HkwGBKmrGlOeUDhNwR9qVwIvd/g/dtOscHnwTOWJ nuf7RQ== > > ;; Query time: 250 msec > ;; SERVER: 2a02:898:31::53:0#53(2a02:898:31::53:0) > ;; WHEN: Fri Jun 14 11:01:27 PDT 2024 > ;; MSG SIZE rcvd: 1178 > -- >
--
