Hi Martin, On 2/14/19 2:17 PM, Martin Kellermann via Pdns-users wrote: > I'm having exactly this same problem: > https://mailman.powerdns.com/pipermail/pdns-users/2017-April/024791.html > First attempts with DNSSEC and PowerDNS and the RRSIGs were running into > "expired" state. > Only difference ist that secondary NS are not under my control and run by ISP. > I did a "pdnsutil increase-serial" for the zone and everything is fine now. > What am i missing, to get the automated refresh working? > > Here is the requested debugging info for the example zone (ea-80.de): > > /etc/powerdns/pdns.conf (most of it is still on defaults and marked out): > # default-soa-edit-signed=
There's your problem, the SOA is not increased for signed zones. Please the documentation on SOA-EDIT[1] and DNSSEC. If you don't set the SOA-EDIT metadata for this one zone, you can use the default-soa-edit-signed setting[2] to automatically increase SOA serials for all signed zones. Hope this helps! Pieter 1 - https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves 2 - https://doc.powerdns.com/authoritative/settings.html#setting-default-soa-edit-signed -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
