First of all, I don't recommend copying the configuration and having two
primaries signing the same zone. It would at least need some key
management synchronizing the signing keys.
I see that the DNSKEY set from ns1 differs from ns2 (there are two more
keys there, where do they come from?)
Please provide 'rndc dnssec -status' output for the zone on both servers.
Please provide the logs as Ondrej said. Also preferably everything on
level 3 debug.
Best regards,
Matthijs
On 6/15/23 15:54, Michael Martinell via bind-users wrote:
Anybody have any ideas on why my dnssec records don’t always
automatically update on my NS2 authoritative server? On my NS1
authoritative server the records update without issue.
NS2 is an exact copy of NS1. We SCP all of the config files from the
first server to the second server and do “rndc reconfig && rndc reload
&& systemctl restart bind” on both servers.
They are both Centos 7 running Bind 9.16.40.
When it fails, I get this message:
[root@ns2 ~]# delv itctel.com @ns2.itctel.com
;; validating itctel.com/A: verify failed due to bad signature
(keyid=3593): RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
;; validating itctel.com/A: verify failed due to bad signature
(keyid=3593): RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN':
2607:d600:9000:300:75:102:160:231#53
;; resolution failed: RRSIG has expired
I have this policy in named.conf
dnssec-policy "itc-no-rotate" {
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime unlimited algorithm 13;
};
nsec3param;
};
I have this set up in a custom includes file:
zone "itctel.com" in {
type master;
file "forward/itctel.com.zone";
dnssec-policy itc-no-rotate;
inline-signing yes;
};
No changes to my actual zone files. The inline signing takes care of
everything.
Here is a list of my files for this domain
/var/named/forward/itctel.com.zone
/var/named/forward/itctel.com.zone.jnl
/var/named/forward/itctel.com.zone.signed
/var/named/forward/itctel.com.zone.jbk
/var/named/forward/itctel.com.zone.new
/var/named/forward/itctel.com.zone.signed.jnl
*Michael Martinell*
Network/Broadband Technician
*Interstate Telecommunications Coop., Inc.
*312 4th Street West • Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martin...@itccoop.com
www.itc-web.com
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
