Re: dnssec not automatically updating on 1 server
First of all, I don't recommend copying the configuration and having two primaries signing the same zone. It would at least need some key management synchronizing the signing keys. I see that the DNSKEY set from ns1 differs from ns2 (there are two more keys there, where do they come from?) Please provide 'rndc dnssec -status' output for the zone on both servers. Please provide the logs as Ondrej said. Also preferably everything on level 3 debug. Best regards, Matthijs On 6/15/23 15:54, Michael Martinell via bind-users wrote: Anybody have any ideas on why my dnssec records don’t always automatically update on my NS2 authoritative server? On my NS1 authoritative server the records update without issue. NS2 is an exact copy of NS1. We SCP all of the config files from the first server to the second server and do “rndc reconfig && rndc reload && systemctl restart bind” on both servers. They are both Centos 7 running Bind 9.16.40. When it fails, I get this message: [root@ns2 ~]# delv itctel.com @ns2.itctel.com ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired ;; validating itctel.com/A: no valid signature found ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53 ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired ;; validating itctel.com/A: no valid signature found ;; RRSIG has expired resolving 'itctel.com/A/IN': 2607:d600:9000:300:75:102:160:231#53 ;; resolution failed: RRSIG has expired I have this policy in named.conf dnssec-policy "itc-no-rotate" { keys { ksk key-directory lifetime unlimited algorithm 13; zsk key-directory lifetime unlimited algorithm 13; }; nsec3param; }; I have this set up in a custom includes file: zone "itctel.com" in { type master; file "forward/itctel.com.zone"; dnssec-policy itc-no-rotate; inline-signing yes; }; No changes to my actual zone files. The inline signing takes care of everything. Here is a list of my files for this domain /var/named/forward/itctel.com.zone /var/named/forward/itctel.com.zone.jnl /var/named/forward/itctel.com.zone.signed /var/named/forward/itctel.com.zone.jbk /var/named/forward/itctel.com.zone.new /var/named/forward/itctel.com.zone.signed.jnl *Michael Martinell* Network/Broadband Technician *Interstate Telecommunications Coop., Inc. *312 4th Street West • Clear Lake, SD 57226 Phone: (605) 874-8313 michael.martin...@itccoop.com www.itc-web.com -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec not automatically updating on 1 server
What does the logs say? Have you checked them? Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 15. 6. 2023, at 15:54, Michael Martinell via bind-users > wrote: > > Anybody have any ideas on why my dnssec records don’t always automatically > update on my NS2 authoritative server? On my NS1 authoritative server the > records update without issue. > NS2 is an exact copy of NS1. We SCP all of the config files from the first > server to the second server and do “rndc reconfig && rndc reload && systemctl > restart bind” on both servers. > They are both Centos 7 running Bind 9.16.40. > When it fails, I get this message: > [root@ns2 ~]# delv itctel.com @ns2.itctel.com > ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): > RRSIG has expired > ;; validating itctel.com/A: no valid signature found > ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53 > ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): > RRSIG has expired > ;; validating itctel.com/A: no valid signature found > ;; RRSIG has expired resolving 'itctel.com/A/IN': > 2607:d600:9000:300:75:102:160:231#53 > ;; resolution failed: RRSIG has expired > I have this policy in named.conf > dnssec-policy "itc-no-rotate" { > keys { > ksk key-directory lifetime unlimited algorithm 13; > zsk key-directory lifetime unlimited algorithm 13; > }; > nsec3param; > }; > I have this set up in a custom includes file: > zone "itctel.com" in { > type master; > file "forward/itctel.com.zone"; > dnssec-policy itc-no-rotate; > inline-signing yes; > }; > No changes to my actual zone files. The inline signing takes care of > everything. > Here is a list of my files for this domain > /var/named/forward/itctel.com.zone > /var/named/forward/itctel.com.zone.jnl > /var/named/forward/itctel.com.zone.signed > /var/named/forward/itctel.com.zone.jbk > /var/named/forward/itctel.com.zone.new > /var/named/forward/itctel.com.zone.signed.jnl >Michael Martinell > Network/Broadband Technician > > Interstate Telecommunications Coop., Inc. > 312 4th Street West • Clear Lake, SD 57226 > Phone: (605) 874-8313 > michael.martin...@itccoop.com > www.itc-web.com > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec not automatically updating on 1 server
Anybody have any ideas on why my dnssec records don't always automatically update on my NS2 authoritative server? On my NS1 authoritative server the records update without issue. NS2 is an exact copy of NS1. We SCP all of the config files from the first server to the second server and do "rndc reconfig && rndc reload && systemctl restart bind" on both servers. They are both Centos 7 running Bind 9.16.40. When it fails, I get this message: [root@ns2 ~]# delv itctel.com @ns2.itctel.com ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired ;; validating itctel.com/A: no valid signature found ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53 ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593): RRSIG has expired ;; validating itctel.com/A: no valid signature found ;; RRSIG has expired resolving 'itctel.com/A/IN': 2607:d600:9000:300:75:102:160:231#53 ;; resolution failed: RRSIG has expired I have this policy in named.conf dnssec-policy "itc-no-rotate" { keys { ksk key-directory lifetime unlimited algorithm 13; zsk key-directory lifetime unlimited algorithm 13; }; nsec3param; }; I have this set up in a custom includes file: zone "itctel.com" in { type master; file "forward/itctel.com.zone"; dnssec-policy itc-no-rotate; inline-signing yes; }; No changes to my actual zone files. The inline signing takes care of everything. Here is a list of my files for this domain /var/named/forward/itctel.com.zone /var/named/forward/itctel.com.zone.jnl /var/named/forward/itctel.com.zone.signed /var/named/forward/itctel.com.zone.jbk /var/named/forward/itctel.com.zone.new /var/named/forward/itctel.com.zone.signed.jnl Michael Martinell Network/Broadband Technician Interstate Telecommunications Coop., Inc. 312 4th Street West * Clear Lake, SD 57226 Phone: (605) 874-8313 michael.martin...@itccoop.com www.itc-web.com -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users