[Opendnssec-user] DNSKEY signature expired
Berry van Halderen
berry at nlnetlabs.nl
Mon May 3 12:01:36 UTC 2021
On 2021-05-03 13:39, Colin Spensley via Opendnssec-user wrote:
> I have a zone managed by OpenDNSSEC 2 which now is not resolved by
> validating resolvers. The reason appears to be that the RRSIG over the
> DNSKEY RRset has been allowed to expire by ods-signer.
>
> Ie. (crudely obfuscated):-
>
>> my_domain.tld. 3600 IN RRSIG DNSKEY 13 3 3600 20210501213711
>> 20210418073317 47867 my_domain.tld.
>> BIzcTyvmGi/OcLaBdXMExes/iyHkrUC1qOhg4W4ybcjsS/zAXz65NJBa
>> oojfCzX7gUo/DD9mXaMFZTyWm8iLpA==
>
> The signer does run for the domain but does not regenerate this
> signature.
>
> Can anyone suggest what might be causing this error?
>
Your log should provide more information. There should be some logging
lines, probably in /var/log/messages indicating that "ods-signer" has
some error. I would suggest a grep ods-signer /var/log/messages.
\Berry
More information about the Opendnssec-user
mailing list