inline-signing: SOA serial out of sync
Axel Rau
Axel.Rau at Chaos1.DE
Thu Jun 14 10:27:16 UTC 2018
> Am 07.06.2018 um 13:36 schrieb Axel Rau <Axel.Rau at chaos1.de>:
>
>
> occasionally named 9.11.3 fails to increment SOA serial like here:
>
> file: 2018060605 dns: 2018060604
It just happened again. An included zone file has been changed from 2 TLSA RRs to one:
- - -
_443._tcp.git.nussberg.de. 3600 IN TLSA 3 0 1 DAE0AC343A6694DEAF0BAB42FC8A6B1F82E42799654BD667B458DC91655C6AB4
- - -
After reload no TLSAs are picked up by the server:
- - -
[hermes:local/etc/rc.d] root# dig AXFR nussberg.de. @localhost | grep TLSA
[hermes:local/etc/rc.d] root#
- - -
Zone status:
- - -
[hermes:local/etc/rc.d] root# rndc zonestatus nussberg.de
name: nussberg.de
type: master
files: master/signed/nussberg.de/nussberg.de.zone, master/signed/nussberg.de/git.nussberg.de.tlsa, master/signed/nussberg.de/acme_challenges.inc
serial: 2018061301
signed serial: 2018060702
nodes: 12
last loaded: Tue, 05 Jun 2018 07:08:59 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Thu, 14 Jun 2018 10:05:11 GMT
next resign node: email1._domainkey.nussberg.de/TXT
next resign time: Sun, 17 Jun 2018 19:29:37 GMT
dynamic: no
reconfigurable via modzone: no
- - -
What else can I collect to help fixing this?
Thanks, Axel
PS: Why does
dig TLSA _443._tcp.git.nussberg.de. @localhost
not work at all?
---
PGP-Key:29E99DD6 ☀ computing @ chaos claudius
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180614/2a44791b/attachment.html>
More information about the bind-users
mailing list