Pieter, Thank-you for the advice!
Apologies for the delay responding - I was waiting to see how things would play out. Unfortunately - we still had domains expire with the settings below configured. ################################# # default-soa-edit Default SOA-EDIT value # # default-soa-edit= default-soa-edit=INCEPTION-EPOCH ################################# # default-soa-edit-signed Default SOA-EDIT value for signed zones # # default-soa-edit-signed= default-soa-edit-signed=INCEPTION-EPOCH Am I missing something else that I need to be doing to trigger a rollover + increment automatically? Thanks in advance, Troy <https://really.ai/> Troy Kelly Chief Executive Officer 180 Sansome Street, Level 2, San Francisco, CA 94104 <https://www.google.com.au/maps/place/Really+Really,+Inc./@37.791917,-122.4006616,15z/data=!4m5!3m4!1s0x0:0x7dc9cf280bcafff3!8m2!3d37.791917!4d-122.4006616> p. +1-650-215-6253 | p. +61-2-8039-4567 | e. [email protected] On 24 August 2017 at 17:28, Pieter Lexis <[email protected]> wrote: > Hello Troy, > > On Thu, 24 Aug 2017 12:05:48 +1000 > Troy Kelly <[email protected]> wrote: > > > We recently implemented DNSSEC, and then more recently had several of the > > RRSIG's expire - and those domains become unoperational. > > > > We use PowerDNS as a stealth master, with public nameservers supplied by > > one of our infrastructure providers. > > > > Where we don't make regular changes to the domain - we are going to keep > > experiencing this expiry issue. > > > > Is there some (cron job?) solution that we can implement to roll over and > > notify a domain before the RRSIG's expire? > > > > I had thought of a weekly pdnsutil increase-serial for every domain - but > > it seems like a real kludge of a solution. > > You can use the default-soa-edit-signed configuration item[1] to set the > default SOA-EDIT metadata value for signed domains. > The possible values and their outcomes are described on the > documentation[2]. > In short, the SOA-EDIT value edits the SOA serial after retrieving it from > the datastore so slaves see a higher SOA when the RRSIG roils. > INCREMENT-WEEKS is a safe value that will add the number of weeks since > the UNIX epoch to the SOA serial, but please read the whole page. > > Good luck! > > Pieter > > > 1 - https://doc.powerdns.com/authoritative/settings.html# > default-soa-edit-signed > 2 - https://doc.powerdns.com/authoritative/dnssec/ > operational.html#soa-edit-ensure-signature-freshness-on-slaves > > -- > Pieter Lexis > PowerDNS.COM BV -- https://www.powerdns.com > _______________________________________________ > Pdns-users mailing list > [email protected] > https://mailman.powerdns.com/mailman/listinfo/pdns-users > -- This email and any attachments may contain confidential or privileged information and may be protected by copyright. You must not use or disclose them other than for the purposes for which they were supplied. The confidentiality and privilege attached to this message and attachment is not waived by reason of mistaken delivery to you. If you are not the intended recipient, you must not use, disclose, retain, forward or reproduce this message or any attachments. If you receive this message in error please notify the sender by return email or telephone, and destroy and delete all copies. Really Really, Inc. does not accept any responsibility for any loss or damage that may result from reliance on, or use of, any information contained in this email and/or attachments.
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
