>Hi Martin, > >On 2/14/19 2:17 PM, Martin Kellermann via Pdns-users wrote: >> I'm having exactly this same problem: >> https://mailman.powerdns.com/pipermail/pdns-users/2017-April/024791.html >> First attempts with DNSSEC and PowerDNS and the RRSIGs were running into >> "expired" state. >> Only difference ist that secondary NS are not under my control and run by >> ISP. >> I did a "pdnsutil increase-serial" for the zone and everything is fine now. >> What am i missing, to get the automated refresh working? >> >> Here is the requested debugging info for the example zone (ea-80.de): >> >> /etc/powerdns/pdns.conf (most of it is still on defaults and marked out): >> # default-soa-edit-signed= > >There's your problem, the SOA is not increased for signed zones. Please >the documentation on SOA-EDIT[1] and DNSSEC. If you don't set the >SOA-EDIT metadata for this one zone, you can use the >default-soa-edit-signed setting[2] to automatically increase SOA serials >for all signed zones. > >Hope this helps! > >Pieter > >1 - >https://doc.powerdns.com/authoritative/dnssec/operational.html#soa-edit-ensure-signature-freshness-on-slaves >2 - >https://doc.powerdns.com/authoritative/settings.html#setting-default-soa-edit-signed > >-- >Pieter Lexis
Hi Pieter, thank you very much. I thought this would be automated, when enabling DNSSEC for a zone, sorry. I already had SOA-EDIT-API metadata (INCEPTION-INCREMENT ) for the zone in my database. Just to clear this out again - i have two choices: Add another metadata record of kind "SOA-EDIT" to the database or set "default-soa-edit-signed" in pdns.conf. Correct? Regards. MK _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
