DNSSEC and upgrading/restoring

David Newman dnewman at networktest.com
Wed Feb 5 00:54:47 UTC 2014


On 2/2/14 5:39 AM, Tony Finch wrote:
> David Newman <dnewman at networktest.com> wrote:
>> On 1/31/14 10:35 AM, Tony Finch wrote:
>>> David Newman <dnewman at networktest.com> wrote:
>>>>
>>>> What action, if any, is needed?
>>>
>>> Does rndc sign <zone> make it wake up?
>>
>> Alas, no. There are a bunch of successful IXFR messages to slave servers
>> but the dates in that NSEC3PARAM RRSIG did not change.
> 
> Not good. I would try deleting and re-adding the NSEC3PARAM records.
> Slow if the zones are big but at least it should fix the problem.

Bingo. That cleared the issue.

This may have been unrelated to the system upgrade. It's possible the
stale NSEC3 records were there for a while, and I just hadn't noticed.

Thanks very much for the troubleshooting clues.

dn




More information about the bind-users mailing list