Am 01.10.2015 um 14:35 schrieb Wolfgang Rosenauer: > Hi, > > one of my DNSSEC/DANE secured domains started breaking as of today and I > do not fully understand why. > Probably bright people here can point me to the correct resolution? > > I'm using bind and its > auto-dnssec maintain; > inline-signing yes; > > Also I'm not aware that my KSK and ZSK keys have any expiration date but > today DNSSEC started to fail apparently because my RRSIG signatures are > said to be expired. > Actually my first idea is that the automatic maintenance in bind failed > for some reason. So I deleted the journal and signed zone files and > started over by signing the zone from scratch. This at least improved > the situation a little bit according to > http://dnsviz.net/d/rosenauer.org/dnssec/ > > But still it seems to be broken and I'm lost currently to understand > what is wrong. > > > Thanks for any pointers, > Wolfgang > there are 2 nameservers known: yaina.de. and ns.an-netz.de. according to the soa, yaina.de seem to be a secondary.
I guess the zonetransfer from primary to secondary did not happen because the zone serial is still the same. compare "dig @yaina.de. rosenauer.org. ns +dnssec" with "dig @ns.an-netz.de.rosenauer.org. ns +dnssec" the primary have more and newer RRSIGs. -> everytime a resign happen the serial number must be changed. Andreas -- A. Schulze DATEV eG
