Hi Bastien and Wes,
one of the points to understand the issue is this log message
> janv. 26 22:50:27 arrakeen knotd[3061]: notice: [geekwu.org.] DNSSEC,
cleared future timers of auto-managed key 20414
In recent versions, we added a feature to Knot, that when Automatic key
management is enabled, any key timers that are scheduled in the future
are cleared. The reason was that auto-managed keys imported from Bind9
often had those and it lead to a mess in Knot's automatic key management.
It is hard to imagine for me how it could happen that this code cleared
your keys' "normal" timers that ought not be in the future. Is the issue
somehow reproducible for you so that we could be able to see the keys'
states just before this appears? Could you at least dig a bit deeper
down the logs to see some more history before this?
Could you explain if you routinely or occasionally do some manual
adjustments of the keys with keymgr?
Thank you!
Libor
Dne 20. 02. 24 v 23:13 Wes Hardaker napsal(a):
Bastien Durel <[email protected]> writes:
could you please have a deeper look into the history of the zone in
the log file (or share it) ? There should be the answer hidden
somewhere...
FYI, I hit this exact same problem recently. One of my zones stopped
signing because the KSK was marked as not active. I used the same
solution to redeploy it. And it only happened with one zone. You can
see the effects in this graph showing that all the other zones kept
resigning on a regular basis but one had a slow downward trend toward
expiring (which I caught 4 days out):
https://capturedonearth.com/temp/dnssec-days-remaining.png
Note that I also had a power failure a few days before (on the night of
the 4th/5th). I have a hard time seeing why it would be related but in
theory I supposed it could be.
--
