First of all, I don't recommend copying the configuration and having two primaries signing the same zone. It would at least need some key management synchronizing the signing keys.

I see that the DNSKEY set from ns1 differs from ns2 (there are two more keys there, where do they come from?)

Please provide 'rndc dnssec -status' output for the zone on both servers.

Please provide the logs as Ondrej said. Also preferably everything on level 3 debug.

Best regards,

Matthijs

On 6/15/23 15:54, Michael Martinell via bind-users wrote:
Anybody have any ideas on why my dnssec records don’t always automatically update on my NS2 authoritative server?  On my NS1 authoritative server the records update without issue.

NS2 is an exact copy of NS1. We SCP all of the config files from the first server to the second server and do “rndc reconfig && rndc reload && systemctl restart bind” on both servers.

They are both Centos 7 running Bind 9.16.40.

When it fails, I get this message:

[root@ns2 ~]# delv itctel.com @ns2.itctel.com

;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired

;; validating itctel.com/A: no valid signature found

;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53

;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired

;; validating itctel.com/A: no valid signature found

;; RRSIG has expired resolving 'itctel.com/A/IN': 2607:d600:9000:300:75:102:160:231#53

;; resolution failed: RRSIG has expired

I have this policy in named.conf

dnssec-policy "itc-no-rotate" {

         keys {

                 ksk key-directory lifetime unlimited algorithm 13;

                 zsk key-directory lifetime unlimited algorithm 13;

         };

         nsec3param;

};

I have this set up in a custom includes file:

zone "itctel.com" in {

         type master;

         file "forward/itctel.com.zone";

         dnssec-policy itc-no-rotate;

         inline-signing yes;

};

No changes to my actual zone files. The inline signing takes care of everything.

Here is a list of my files for this domain

/var/named/forward/itctel.com.zone /var/named/forward/itctel.com.zone.jnl /var/named/forward/itctel.com.zone.signed

/var/named/forward/itctel.com.zone.jbk /var/named/forward/itctel.com.zone.new /var/named/forward/itctel.com.zone.signed.jnl

*Michael Martinell*
Network/Broadband Technician

*Interstate Telecommunications Coop., Inc.
*312 4th Street West • Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martin...@itccoop.com
www.itc-web.com


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to