DNSSEC resign failed

Second time that the virtualmin nameservers are SERVFAIL. I recognized, that the resigning failed and the key was expired.

The thing was recovered by adding and removing an A record in the authoritative NS zone, but I recognized that

named-setup-rndc.service was set to Start at Boot "Always" but Running says "No"

I am not sure if it has to do something with the issue. Should this be running?

crontab -l 49 16 * * * /etc/webmin/bind8/resign.pl is running though...

Regards

Status: 
Active

Comments

Diabolico's picture
Submitted by Diabolico on Tue, 07/19/2016 - 16:13

You can always set manually re-signing with cron. Take a look at my post https://www.virtualmin.com/node/37132, its little outdated but if you have basic knowledge about DNSSEC it should be easy to setup everything. Only thing to ship is part about dlv.isc.org because there is no need to use it anymore.

Virtualmin should do automatic key re-generation and re-signing by default.

How old was your zone signature when it stopped working?

Hi,

it was one or two hours after the signature was expired until i detected the host was unaccessible (Domain resolution failed SERVFAIL)

I had this incident a month or so ago, it could be exactly 21 days, i resolved it by removing an A record from the domain - which resignes the zone but I didnĀ“t knew that.

I checked after this the DNSSEC Key Resigning in the Server/Bind Configuration of Webmin, and it was set to No and 21 days, without my intervention.