DNSSEC rolloever fails
bobjunk at treborlogic.com
Tue Dec 27 16:19:02 UTC 2016
I have been fighting with my automatic DNSSEC ZSK rollover recipe for
the last year and keep having issues with it.
My existing keys are set to become inactive on Jan 1 2017, and to be
deleted Feb 1 2017.
The replacement keys are set to publish on Dec 2 2016 and become active
on Jan 1 2017.
The replacement keys published as expected and haven't been used for
signing yet as expected.
I woke up last Friday Dec 23rd to find my zones failing validation. When
I investigated I found the existing signatures expired on the 22nd and
bind never resigned the records with the existing, currently still
It seemed to behave as though if the period the records would have been
valid extended past the inactive date for the key, it simply refused to
My understanding is the inactive date sets the time that bind will no
longer use the key to sign records but that the key would still be
published and validators would consider records signed with the key as
valid. My expectation was that bind would use the currently active key
to sign records as needed up until the inactive timer is met.
The existing key timers:
; Created: 20160528120657 (Sat May 28 12:06:57 2016)
; Publish: 20160601000000 (Wed Jun 1 00:00:00 2016)
; Activate: 20160701000000 (Fri Jul 1 00:00:00 2016)
; Inactive: 20170101000000 (Sun Jan 1 00:00:00 2017)
; Delete: 20170201000000 (Wed Feb 1 00:00:00 2017)
The replacement key timers
; Created: 20161116164407 (Wed Nov 16 16:44:07 2016)
; Publish: 20161202000000 (Fri Dec 2 00:00:00 2016)
; Activate: 20170101000000 (Sun Jan 1 00:00:00 2017)
I ended up having to shut down bind and delete the .signed file and it's
journal for each zone, then start bind back up again to get it to sign
the zone so I could get back online. Any commands via rndc to resign the
zone were ignored.
Obviously this behavior isn't tolerable. I assume I have something set
incorrectly but I can't find what it is. This issue also occurred at the
last roll over. Once I deleted the signed files and restarted the server
to get it to sign the zones again, the rollover occurred as expected. It
just seems to not want to sign the records for that one last time before
the inactive time is reached and will only do so if I completely nuke
all the existing signatures.
# named -v
Anyone have any ideas?
More information about the bind-users