Maybe related to your earlier reported problem, when signed zonedata is not
updated after updates to the zone?
And what I already read about 9.11.15, hopefully fixed there.
Jukka
-----Alkuperäinen viesti-----
Lähettäjä: bind-users <bind-users-boun...@lists.isc.org> Puolesta Matthew
Richardson
Lähetetty: 5. helmikuuta 2020 19:28
Vastaanottaja: bind-users@lists.isc.org
Aihe: Bind 9.11.13 - inline re-signing stops
I have an interesting issue with a hidden master running 9.11.13 and configured
with inline signing on a number of zones, configured thus:-
>zone "42.201.193.in-addr.arpa" {
> type master;
> file "zones/master/42.201.193.in-addr.arpa.db";
> inline-signing yes;
> auto-dnssec maintain;
>};
Prior to 30 January, all the zones configured in this way were regurlarly being
resigned, logging entries such as:-
>29-Jan-2020 03:37:02.129 general: info: zone 42.201.193.in-addr.arpa/IN
>(signed): reconfiguring zone keys
>29-Jan-2020 03:37:02.131 general: info: zone 42.201.193.in-addr.arpa/IN
>(signed): next key event: 29-Jan-2020 15:37:02.129
>29-Jan-2020 15:37:02.129 general: info: zone 42.201.193.in-addr.arpa/IN
>(signed): reconfiguring zone keys
>29-Jan-2020 15:37:02.131 general: info: zone 42.201.193.in-addr.arpa/IN
>(signed): next key event: 30-Jan-2020 03:37:02.129
>30-Jan-2020 03:35:01.604 general: info: zone 42.201.193.in-addr.arpa/IN
>(signed): reconfiguring zone keys
>30-Jan-2020 03:35:01.606 general: info: zone 42.201.193.in-addr.arpa/IN
>(signed): next key event: 30-Jan-2020 15:35:01.604
Since an "rndc reload" at 12:22 on 30 January, this logging has stopped and
NONE of the signed zones have had any of their RRSIGs re-signed. Today, one
sees:-
>[root@m70 dns]# rndc zonestatus 42.201.193.in-addr.arpa
>name: 42.201.193.in-addr.arpa
>type: master
>files: zones/master/42.201.193.in-addr.arpa.db
>serial: 286
>signed serial: 3829
>nodes: 140
>last loaded: Sun, 24 Nov 2019 07:13:00 GMT
>secure: yes
>inline signing: yes
>key maintenance: automatic
>next key event: Wed, 05 Feb 2020 18:01:42 GMT next resign node:
>DI2VMBB2GDES2IKFVFRUB7DIDDC7TI8L.42.201.193.in-addr.arpa/NSEC3
>next resign time: Thu, 30 Jan 2020 21:25:35 GMT
>dynamic: no
>reconfigurable via modzone: no
which clearly shows "next resign" as being in the past. The server
reports:-
>[root@m70 dns]# rndc status
>version: BIND 9.11.13 (Extended Support Version) <id:ad4df16> running
>on m70: Linux x86_64 4.14.120-x86_64-linode125 #1 SMP Mon May 20
>16:43:35 UTC 2019 boot time: Sun, 24 Nov 2019 09:51:27 GMT last
>configured: Wed, 05 Feb 2020 18:10:21 GMT configuration file:
>/etc/named.conf CPUs found: 1 worker threads: 1 UDP listeners per
>interface: 1 number of zones: 773 (0 automatic) debug level: 0 xfers
>running: 0 xfers deferred: 0 soa queries in progress: 0 query logging
>is OFF recursive clients: 0/900/1000 tcp clients: 6/150 TCP high-water:
>64 server is up and running
As a test I tried incrementing the serial number of only one of the signed
zones and, after a reload, that zone seems to be being resigned normally.
My suspicion is that retarting Bind will simply fix the issue.
However, I was wondering whether there might be any troubleshooting or
diagnosis which it might be useful to undertake. Were ISC to want, it would
probably be possible to get them temporary access.
Best wishes,
Matthew
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
