Hi Stuart, I have opened an issue for this on our bug tracking system:
https://issues.opendnssec.org/browse/SUPPORT-51 Would you be able to share your conf files and full logs either by uploading to the above issue or off-list? (Also: If you register as a watcher of this issue then you will receive emails of all the updates to it.) Sara. On 4 Feb 2013, at 08:13, wfXLtg== wrote: > Hi All, > > As I posted earlier, the 'RR Does Not Exist' and ods-signer would not signs > RRSIGs until it expires cause a lot of problems. > My test tlds here have their KSK rollovered every 4H and ZSK rollovered every > 2H, and after days of test you can see the amount of DNSKEYS > exist in the zone file and most of which are dead. > > [gtld@index zone]$ dig @202.173.9.4 dstest1 dnskey +edns=0|grep DNSKEY|wc -l > 75 > [gtld@index zone]$ dig @202.173.9.4 dstest2 dnskey +edns=0|grep DNSKEY|wc -l > 67 > > It's obvious opendnssec did not remove them in the zone, I will change the > <purge> to 1H which was 14D by default, I hope this will help. > > I wrote a script to do nsupdate soa to the INBOUND bind and this can make > opendnssec resign the expiring RRs,or the RRSIGs will keep expired, but it > can not solve the Lots-of-Dead-DNSKEYs problem. > > I need your help guys. > > > Best regards, > Stuart > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
