[Opendnssec-user] DNSKEY signature expired

Berry van Halderen berry at nlnetlabs.nl
Mon May 3 12:01:36 UTC 2021

On 2021-05-03 13:39, Colin Spensley via Opendnssec-user wrote:
> I have a zone managed by OpenDNSSEC 2 which now is not resolved by
> validating resolvers. The reason appears to be that the RRSIG over the
> DNSKEY RRset has been allowed to expire by ods-signer.
> Ie. (crudely obfuscated):-
>> my_domain.tld.		3600	IN	RRSIG	DNSKEY 13 3 3600 20210501213711 
>> 20210418073317 47867 my_domain.tld. 
>> BIzcTyvmGi/OcLaBdXMExes/iyHkrUC1qOhg4W4ybcjsS/zAXz65NJBa 
>> oojfCzX7gUo/DD9mXaMFZTyWm8iLpA==
> The signer does run for the domain but does not regenerate this 
> signature.
> Can anyone suggest what might be causing this error?

Your log should provide more information.  There should be some logging 
lines, probably in /var/log/messages indicating that "ods-signer" has 
some error.  I would suggest a grep ods-signer /var/log/messages.


More information about the Opendnssec-user mailing list