Re: dnssec not automatically updating on 1 server
First of all, I don't recommend copying the configuration and having two
primaries signing the same zone. It would at least need some key
management synchronizing the signing keys.
I see that the DNSKEY set from ns1 differs from ns2 (there are two more
keys there, where do they come from?)
Please provide 'rndc dnssec -status' output for the zone on both servers.
Please provide the logs as Ondrej said. Also preferably everything on
level 3 debug.
Best regards,
Matthijs
On 6/15/23 15:54, Michael Martinell via bind-users wrote:
Anybody have any ideas on why my dnssec records don’t always
automatically update on my NS2 authoritative server? On my NS1
authoritative server the records update without issue.
NS2 is an exact copy of NS1. We SCP all of the config files from the
first server to the second server and do “rndc reconfig && rndc reload
&& systemctl restart bind” on both servers.
They are both Centos 7 running Bind 9.16.40.
When it fails, I get this message:
[root@ns2 ~]# delv itctel.com @ns2.itctel.com
;; validating itctel.com/A: verify failed due to bad signature
(keyid=3593): RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
;; validating itctel.com/A: verify failed due to bad signature
(keyid=3593): RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN':
2607:d600:9000:300:75:102:160:231#53
;; resolution failed: RRSIG has expired
I have this policy in named.conf
dnssec-policy "itc-no-rotate" {
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime unlimited algorithm 13;
};
nsec3param;
};
I have this set up in a custom includes file:
zone "itctel.com" in {
type master;
file "forward/itctel.com.zone";
dnssec-policy itc-no-rotate;
inline-signing yes;
};
No changes to my actual zone files. The inline signing takes care of
everything.
Here is a list of my files for this domain
/var/named/forward/itctel.com.zone
/var/named/forward/itctel.com.zone.jnl
/var/named/forward/itctel.com.zone.signed
/var/named/forward/itctel.com.zone.jbk
/var/named/forward/itctel.com.zone.new
/var/named/forward/itctel.com.zone.signed.jnl
*Michael Martinell*
Network/Broadband Technician
*Interstate Telecommunications Coop., Inc.
*312 4th Street West • Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martin...@itccoop.com
www.itc-web.com
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec not automatically updating on 1 server
What does the logs say? Have you checked them?
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 15. 6. 2023, at 15:54, Michael Martinell via bind-users
> wrote:
>
> Anybody have any ideas on why my dnssec records don’t always automatically
> update on my NS2 authoritative server? On my NS1 authoritative server the
> records update without issue.
> NS2 is an exact copy of NS1. We SCP all of the config files from the first
> server to the second server and do “rndc reconfig && rndc reload && systemctl
> restart bind” on both servers.
> They are both Centos 7 running Bind 9.16.40.
> When it fails, I get this message:
> [root@ns2 ~]# delv itctel.com @ns2.itctel.com
> ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593):
> RRSIG has expired
> ;; validating itctel.com/A: no valid signature found
> ;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
> ;; validating itctel.com/A: verify failed due to bad signature (keyid=3593):
> RRSIG has expired
> ;; validating itctel.com/A: no valid signature found
> ;; RRSIG has expired resolving 'itctel.com/A/IN':
> 2607:d600:9000:300:75:102:160:231#53
> ;; resolution failed: RRSIG has expired
> I have this policy in named.conf
> dnssec-policy "itc-no-rotate" {
> keys {
> ksk key-directory lifetime unlimited algorithm 13;
> zsk key-directory lifetime unlimited algorithm 13;
> };
> nsec3param;
> };
> I have this set up in a custom includes file:
> zone "itctel.com" in {
> type master;
> file "forward/itctel.com.zone";
> dnssec-policy itc-no-rotate;
> inline-signing yes;
> };
> No changes to my actual zone files. The inline signing takes care of
> everything.
> Here is a list of my files for this domain
> /var/named/forward/itctel.com.zone
> /var/named/forward/itctel.com.zone.jnl
> /var/named/forward/itctel.com.zone.signed
> /var/named/forward/itctel.com.zone.jbk
> /var/named/forward/itctel.com.zone.new
> /var/named/forward/itctel.com.zone.signed.jnl
>Michael Martinell
> Network/Broadband Technician
>
> Interstate Telecommunications Coop., Inc.
> 312 4th Street West • Clear Lake, SD 57226
> Phone: (605) 874-8313
> michael.martin...@itccoop.com
> www.itc-web.com
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
dnssec not automatically updating on 1 server
Anybody have any ideas on why my dnssec records don't always automatically
update on my NS2 authoritative server? On my NS1 authoritative server the
records update without issue.
NS2 is an exact copy of NS1. We SCP all of the config files from the first
server to the second server and do "rndc reconfig && rndc reload && systemctl
restart bind" on both servers.
They are both Centos 7 running Bind 9.16.40.
When it fails, I get this message:
[root@ns2 ~]# delv itctel.com @ns2.itctel.com
;; validating itctel.com/A: verify failed due to bad signature (keyid=3593):
RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN': 75.102.160.231#53
;; validating itctel.com/A: verify failed due to bad signature (keyid=3593):
RRSIG has expired
;; validating itctel.com/A: no valid signature found
;; RRSIG has expired resolving 'itctel.com/A/IN':
2607:d600:9000:300:75:102:160:231#53
;; resolution failed: RRSIG has expired
I have this policy in named.conf
dnssec-policy "itc-no-rotate" {
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime unlimited algorithm 13;
};
nsec3param;
};
I have this set up in a custom includes file:
zone "itctel.com" in {
type master;
file "forward/itctel.com.zone";
dnssec-policy itc-no-rotate;
inline-signing yes;
};
No changes to my actual zone files. The inline signing takes care of everything.
Here is a list of my files for this domain
/var/named/forward/itctel.com.zone /var/named/forward/itctel.com.zone.jnl
/var/named/forward/itctel.com.zone.signed
/var/named/forward/itctel.com.zone.jbk /var/named/forward/itctel.com.zone.new
/var/named/forward/itctel.com.zone.signed.jnl
Michael Martinell
Network/Broadband Technician
Interstate Telecommunications Coop., Inc.
312 4th Street West * Clear Lake, SD 57226
Phone: (605) 874-8313
michael.martin...@itccoop.com
www.itc-web.com
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
