Hello Troy, On Thu, 24 Aug 2017 12:05:48 +1000 Troy Kelly <[email protected]> wrote:
> We recently implemented DNSSEC, and then more recently had several of the > RRSIG's expire - and those domains become unoperational. > > We use PowerDNS as a stealth master, with public nameservers supplied by > one of our infrastructure providers. > > Where we don't make regular changes to the domain - we are going to keep > experiencing this expiry issue. > > Is there some (cron job?) solution that we can implement to roll over and > notify a domain before the RRSIG's expire? > > I had thought of a weekly pdnsutil increase-serial for every domain - but > it seems like a real kludge of a solution. You can use the default-soa-edit-signed configuration item[1] to set the default SOA-EDIT metadata value for signed domains. The possible values and their outcomes are described on the documentation[2]. In short, the SOA-EDIT value edits the SOA serial after retrieving it from the datastore so slaves see a higher SOA when the RRSIG roils. INCREMENT-WEEKS is a safe value that will add the number of weeks since the UNIX epoch to the SOA serial, but please read the whole page. Good luck! Pieter 1 - https://doc.powerdns.com/authoritative/settings.html#default-soa-edit-signed 2 - https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
