Hi Roman, I'm not 100% sure what you mean. I think you are saying that you used to see a daily resign of expired signatures but now you don't. Is that correct? Did OpenDNSSEC did a full resign after you upgraded? - This might explain why no signatures are expiring /yet/. Can you share your kasp.xml and conf.xml (beware! conf may contain passwords/pins). I could take a look and assert your expectations.
//Yuri On 05-07-17 16:20, Roman Serbski wrote: > Hello, > > Hidden master (NSD 4.1.0), signer (OpenDNSSEC 1.4.6 using DNS > adapters), and public DNS (NSD 4.1.0), all under FreeBSD 10.0-STABLE. > > I'm planning to update the whole setup to the latest NSD 4.1.16, > OpenDNSSEC 1.4.14, FreeBSD 11, therefore I cloned all servers and > performed an update in the lab. > > Everything is working fine except that it seems that I lost automatic > zone updates performed by OpenDNSSEC. In 1.4.6, there was one update > per day, per zone. In 1.4.14 I don't see any updates for three days > already. > > My kasp.conf remained unchanged: > > <Zone> > <PropagationDelay>PT43200S</PropagationDelay> > <SOA> > <TTL>PT3600S</TTL> > <Minimum>PT3600S</Minimum> > <Serial>datecounter</Serial> > </SOA> > </Zone> > > - if I manually bump the serial on hidden master, and reload the zone, > it's instantly reflected on the public DNS; > - automatic ZSK roll-over triggers SOA increment as well; > - shutting down OpenDNSSEC, clearing of /var/opendnssec/tmp/, and > starting OpenDNSSEC triggers updates too. > > I see constant communication between the hidden master and the signer: > > [2017-07-03 12:34:45.090] nsd[6547]: info: axfr for mydomain.org. from > 192.168.60.203 > > Jul 3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org > request axfr to 192.168.60.202 > Jul 3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org > got update indicating current serial 2017033002 from 192.168.60.202 > > But no updates between the signer and the public DNS. > > Thank you in advance. > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
