Hi Daniel
On 03.10.2017 09:21, Daniel Salzman wrote: > If the automatic signing is enabled, Knot should remove all unknown or > expired RRSIGs automatically > during re-signing. So it is very suspicious. > > What the server prints to the log upon `knotc zone-sign ...`? Could you > please send me the whole server log? 2017-10-03T10:01:44 info: [example.com.] zone will be loaded 2017-10-03T10:01:44 notice: [example.com.] journal, obsolete exists, file '/var/lib/knot/example.com.db' 2017-10-03T10:01:44 info: [example.com.] changes from journal applied 1506932669 -> 1507016770 2017-10-03T10:01:44 info: [example.com.] DNSSEC, loaded key, tag 47100, algorithm 13, KSK no, ZSK yes, public yes, ready yes, active yes 2017-10-03T10:01:44 info: [example.com.] DNSSEC, loaded key, tag 25437, algorithm 13, KSK yes, ZSK no, public yes, ready yes, active yes 2017-10-03T10:01:44 info: [example.com.] DNSSEC, signing started 2017-10-03T10:01:44 info: [example.com.] DNSSEC, zone is up-to-date 2017-10-03T10:01:44 info: [example.com.] loaded, serial 1507016770 2017-10-03T10:01:44 info: [example.com.] DNSSEC, next signing at 2017-10-10T09:44:00 2017-10-03T10:01:53 info: [example.com.] notify, outgoing, 203.0.113.1@53: serial 1507016770 2017-10-03T10:01:53 info: [example.com.] notify, outgoing, 192.0.2.1@53: serial 1507016770 2017-10-03T10:02:12 info: [example.com.] control, received command 'zone-sign' 2017-10-03T10:02:12 info: [example.com.] DNSSEC, dropping previous signatures, resigning zone 2017-10-03T10:02:12 info: [example.com.] DNSSEC, loaded key, tag 47100, algorithm 13, KSK no, ZSK yes, public yes, ready yes, active yes 2017-10-03T10:02:12 info: [example.com.] DNSSEC, loaded key, tag 25437, algorithm 13, KSK yes, ZSK no, public yes, ready yes, active yes 2017-10-03T10:02:12 info: [example.com.] DNSSEC, signing started 2017-10-03T10:02:12 info: [example.com.] DNSSEC, successfully signed 2017-10-03T10:02:12 info: [example.com.] DNSSEC, next signing at 2017-10-10T10:02:12 2017-10-03T10:02:12 info: [example.com.] notify, outgoing, 203.0.113.1@53: serial 1507017732 2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing, 203.0.113.1@46104: started, serial 1507016770 -> 1507017732 2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing, 203.0.113.1@46104: finished, 0.00 seconds, 1 messages, 15856 bytes 2017-10-03T10:02:12 info: [example.com.] notify, outgoing, 192.0.2.1@53: serial 1507017732 2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing, 192.0.2.1@55378: started, serial 1507016770 -> 1507017732 2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing, 192.0.2.1@55378: finished, 0.00 seconds, 1 messages, 15856 bytes I did not check correctly before as it seems. The master indeed does only serve the correct RRSIGs. It turns out it was the slaves (knot as-well) that somehow still served the old RRSIGs but otherwise an up-to-date zone. I did purge the zones from the slaves now (knotc -f zone-purge && knotc reload) and now the slaves serve the correct RRSIGs as-well. Lets see if this reoccurs, otherwise sorry for the noise. Regards André _______________________________________________ knot-dns-users mailing list knot-dns-users@lists.nic.cz https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users