Hello Charles, On Tue, 4 Apr 2017 01:11:56 -0400 Charles Sprickman <[email protected]> wrote:
> Please bear with me, this is my first attempt at working with DNSSEC and > PowerDNS, and I’m working it out on a personal domain. I have three servers > setup - the master is running PowerDNS 4.0.3, both slaves are running nsd > 4.1.14. When I first set this up, everything seemed to work fine and the > setup passed the dnsviz.net tool. > > Today I noticed that I was not able to resolve this domain from home, where > unbound runs as a validating, caching server. After some digging, dnsviz > told me that my RRSIGs were “expired” - both from the slaves and the master. > After much random poking around, I could not quite figure out how to tell > PowerDNS to periodically refresh the signed zone(s). After manually just > bumping the serial with "pdnsutil increase-serial example.com”, the zone > started validating properly at dnsviz.net and at home. Is this supposed to > be automated? What have I missed? This is automated indeed, rolling the signatures happens in the daemon itself automatically. To debug this, were gonna need some more information. Could you share the domain name, your config (without passwords), the output of `pdnsutil show-zone YOURZONE` and the responses from all machines to `dig soa +dnssec +norec @MACHINE YOURZONE`? -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
