A couple of weeks ago I found a DNSSEC key rollover problem with bind 9.9.0b2. See https://lists.isc.org/pipermail/bind-users/2011-December/086063.html. This appears to have persisted after upgrading to bind 9.9.0rc1 this afternoon.
See http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the jaspain.net AAAA, A, and TXT RRSets signed by ZSK 35297 expired on 12/17/2011, and those RRSets have not been resigned with the new ZSK 42152. The metadata for ZSK 35297 calls for it to have become inactive on 12/12/2011 (at zero hours UTC) and for it to be deleted on 1/16/2012. The metadata for the new ZSK 42152 calls for it to have been published on 9/8/2011 and activated on 12/11/2011. The jaspain.net SOA RRSet was signed by ZSK 35297 on 12/10/2011 and by ZSK 42152 at the same time. Following today's upgrade to RC1 the signature by ZSK 35297 on the SOA RRSet was removed. As I understand it, bind should be resigning RRSets automatically to prevent such signature expirations. This particular zone is configured for in-line signing from a locally stored copy of the unsigned zone: zone "jaspain.net" { type master; file "/var/lib/bind/jaspain.net/jaspain.net.db"; key-directory "/var/lib/bind/jaspain.net"; update-policy local; auto-dnssec maintain; inline-signing yes; also-notify { 2001:4870:20ca:158:14ff:7695:9632:e9ec; }; }; Thanks for any ideas you may have about what has gone wrong. Jeffry A. Spain Network Administrator Cincinnati Country Day School
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users