What does the logs say? Have you checked them? Ondrej -- Ondřej Surý (He/Him) ond...@isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 15. 6. 2023, at 15:54, Michael Martinell via bind-users > <bind-users@lists.isc.org> wrote: > > Anybody have any ideas on why my dnssec records don’t always automatically > update on my NS2 authoritative server? On my NS1 authoritative server the > records update without issue. > NS2 is an exact copy of NS1. We SCP all of the config files from the first > server to the second server and do “rndc reconfig && rndc reload && systemctl > restart bind” on both servers. > They are both Centos 7 running Bind 9.16.40. > When it fails, I get this message: > [root@ns2 ~]# delv itctel.com @ns2.itctel.com > ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): > RRSIG has expired > ;; validating itctel.com/A: no valid signature found > ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53 > ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): > RRSIG has expired > ;; validating itctel.com/A: no valid signature found > ;; RRSIG has expired resolving 'itctel.com/A/IN': > 2607:d600:9000:300:75:102:160:231#53 > ;; resolution failed: RRSIG has expired > I have this policy in named.conf > dnssec-policy "itc-no-rotate" { > keys { > ksk key-directory lifetime unlimited algorithm 13; > zsk key-directory lifetime unlimited algorithm 13; > }; > nsec3param; > }; > I have this set up in a custom includes file: > zone "itctel.com" in { > type master; > file "forward/itctel.com.zone"; > dnssec-policy itc-no-rotate; > inline-signing yes; > }; > No changes to my actual zone files. The inline signing takes care of > everything. > Here is a list of my files for this domain > /var/named/forward/itctel.com.zone > /var/named/forward/itctel.com.zone.jnl > /var/named/forward/itctel.com.zone.signed > /var/named/forward/itctel.com.zone.jbk > /var/named/forward/itctel.com.zone.new > /var/named/forward/itctel.com.zone.signed.jnl > Michael Martinell > Network/Broadband Technician > > Interstate Telecommunications Coop., Inc. > 312 4th Street West • Clear Lake, SD 57226 > Phone: (605) 874-8313 > michael.martin...@itccoop.com > www.itc-web.com > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users