Am 01.10.2015 um 14:35 schrieb Wolfgang Rosenauer:
Hi,
one of my DNSSEC/DANE secured domains started breaking as of today and I do not fully understand why. Probably bright people here can point me to the correct resolution?
I'm using bind and its auto-dnssec maintain; inline-signing yes;
Also I'm not aware that my KSK and ZSK keys have any expiration date but today DNSSEC started to fail apparently because my RRSIG signatures are said to be expired. Actually my first idea is that the automatic maintenance in bind failed for some reason. So I deleted the journal and signed zone files and started over by signing the zone from scratch. This at least improved the situation a little bit according to http://dnsviz.net/d/rosenauer.org/dnssec/
But still it seems to be broken and I'm lost currently to understand what is wrong.
Thanks for any pointers, Wolfgang
there are 2 nameservers known: yaina.de. and ns.an-netz.de. according to the soa, yaina.de seem to be a secondary.
I guess the zonetransfer from primary to secondary did not happen because the zone serial is still the same.
compare "dig @yaina.de. rosenauer.org. ns +dnssec" with "dig @ns.an-netz.de.rosenauer.org. ns +dnssec"
the primary have more and newer RRSIGs.
-> everytime a resign happen the serial number must be changed.
Andreas