[Opendnssec-user] DNSKEY signature expired

Colin Spensley odsu at c20.ksac.uk
Mon May 3 11:39:17 UTC 2021

I have a zone managed by OpenDNSSEC 2 which now is not resolved by 
validating resolvers. The reason appears to be that the RRSIG over the 
DNSKEY RRset has been allowed to expire by ods-signer.

Ie. (crudely obfuscated):-

> my_domain.tld.		3600	IN	RRSIG	DNSKEY 13 3 3600 20210501213711 20210418073317 47867 my_domain.tld. BIzcTyvmGi/OcLaBdXMExes/iyHkrUC1qOhg4W4ybcjsS/zAXz65NJBa oojfCzX7gUo/DD9mXaMFZTyWm8iLpA==

The signer does run for the domain but does not regenerate this signature.

Can anyone suggest what might be causing this error?


More information about the Opendnssec-user mailing list