DNSSEC / BIND breakage

Andreas Schulze andreas.schulze at datev.de
Thu Oct 1 15:14:08 CEST 2015

Am 01.10.2015 um 14:35 schrieb Wolfgang Rosenauer:
> Hi,
> one of my DNSSEC/DANE secured domains started breaking as of today and I
> do not fully understand why.
> Probably bright people here can point me to the correct resolution?
> I'm using bind and its
> auto-dnssec maintain;
> inline-signing yes;
> Also I'm not aware that my KSK and ZSK keys have any expiration date but
> today DNSSEC started to fail apparently because my RRSIG signatures are
> said to be expired.
> Actually my first idea is that the automatic maintenance in bind failed
> for some reason. So I deleted the journal and signed zone files and
> started over by signing the zone from scratch. This at least improved
> the situation a little bit according to
> http://dnsviz.net/d/rosenauer.org/dnssec/
> But still it seems to be broken and I'm lost currently to understand
> what is wrong.
> Thanks for any pointers,
>  Wolfgang
there are 2 nameservers known: yaina.de. and ns.an-netz.de.
according to the soa, yaina.de seem to be a secondary.

I guess the zonetransfer from primary to secondary did not happen
because the zone serial is still the same.

compare "dig @yaina.de. rosenauer.org. ns +dnssec"
with "dig @ns.an-netz.de.rosenauer.org. ns +dnssec"

the primary have more and newer RRSIGs.

-> everytime a resign happen the serial number must be changed.


A. Schulze DATEV eG

More information about the dane-users mailing list