DNSSEC resign cron not working

Over the last few months I have noticed the cron job /etc/webmin/bind8/resign.pl has not been resigning any domains because the ISC DLV Registry sends me email every month that domains have expired keys and I have to manually resign them.

Even if I run the cron job /etc/webmin/bind8/resign.pl manually that doesn't fix the issue.

Status: 
Active

Comments

Try running it with the --debug flag as root from the command line, and let us know what it outputs.

This is what I get

# /etc/webmin/bind8/resign.pl --debug
Considering zone 0.8.4.3.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
Key count 0
Considering zone 127.in-addr.arpa
Key count 0
Considering zone borgnet.mobi
Key count 2
Zone key in /var/lib/bind/Kborgnet.mobi.+005+56493.private
Age in days 1.6562962962963
Considering zone borgnet.net
Key count 2
Zone key in /var/lib/bind/Kborgnet.net.+005+31932.private
Age in days 0.858622685185185
Considering zone 0.in-addr.arpa
Key count 0
Considering zone 255.in-addr.arpa
Key count 0
Considering zone dev.borgnet.net
Key count 2
Zone key in /var/lib/bind/Kdev.borgnet.net.+005+04956.private
Age in days 4.65627314814815
Considering zone localhost
Key count 0

Maybe I should wait for another key to expire and then run the debug for you ?

Yes, that would be most useful.

Had this happen again while I was out of town...

# /etc/webmin/bind8/resign.pl --debug
Considering zone localhost.localdomain
Key count 0
Considering zone borgnet.us
Key count 2
Zone key in /etc/bind/Kborgnet.us.+005+30711.private
Age in days 14.6009490740741
Considering zone 0.in-addr.arpa
Key count 0
Considering zone juicereceiver.com
Key count 0
Considering zone 0.0.127.in-addr.arpa
Key count 0
Considering zone 0.8.4.3.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
Key count 0
Considering zone adventitious.org
Key count 0
Considering zone centerforsecuritypolicy.org
Key count 2
Zone key in /etc/bind/Kcenterforsecuritypolicy.org.+005+48858.private
Age in days 4.60096064814815
Considering zone localhost.us
Key count 0
Considering zone borgnet.eu
Key count 2
Zone key in /etc/bind/Kborgnet.eu.+005+21171.private
Age in days 16.6009490740741
Considering zone 127.in-addr.arpa
Key count 0
Considering zone borgnet.org
Key count 2
Zone key in /etc/bind/masters/Kborgnet.org.+005+26385.private
Age in days 12.6009606481481
Considering zone borgnet.biz
Key count 2
Zone key in /etc/bind/Kborgnet.biz.+005+54801.private
Age in days 16.6009027777778
Considering zone localhost
Key count 0
Considering zone 8.e.2.9.0.c.5.0.1.0.0.2.ip6.arpa
Key count 0
Considering zone raskah.com
Key count 0
Considering zone 255.in-addr.arpa
Key count 0
Considering zone 2.3.2.0.1.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
Key count 0

Is that script reloading bind after it runs the check ? I did a dns reload and the records were updated correctly.

You're right, in some cases the zone isn't being re-read by BIND. I'll fix that in the next release of Webmin.