Hi Josef,
your version of Knot is pretty old with more issues that are fixed in newer versions. So
the quickest
recommendation for you is upgrade to a newer version of Knot (if it is possible).
Dan
On 09/26/2014 01:38 PM, Josef Karliak wrote:
Good afternoon,
I made a change in our zone, changed serial of the zone and reload the zone. When I
check the syslog, I saw some complains, that the signatures was out of date. For example:
Sep 26 11:31:17 slimak knot[22992]: [warning] Semantic warning in node: slimak.fnhk.cz.:
RRSIG: Expired signature! Record type: A.
Sep 26 11:31:17 slimak knot[22992]: [warning] Semantic warning in node: slimak.fnhk.cz.:
RRSIG: Expired signature! Record type: AAAA.
Sep 26 11:31:17 slimak knot[22992]: [warning] Semantic warning in node: slimak.fnhk.cz.:
RRSIG: Expired signature! Record type: NSEC.
This happens for all records in the zone.
Last change was 11.8.2014, knot signed it and planned resign to 7.9.2014:
Aug 11 13:39:10 slimak knot[22992]: Semantic checks completed for zone=fnhk.cz.
Aug 11 13:39:10 slimak knot[22992]: Zone 'fnhk.cz.' reloaded (serial 2014081101)
Aug 11 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - Signing started...
Aug 11 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - - Key is valid, tag 64431,
file Kfnhk.cz.+005+64431.private, ZSK, active, public
Aug 11 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - - Key is valid, tag 26812,
file Kfnhk.cz.+005+26812.private, KSK, active, public
Aug 11 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - Successfully signed.
Aug 11 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz.: Next signing planned on
2014-09-07T11:39:10.
Aug 11 13:39:10 slimak knot[22992]: Loaded 5 out of 5 zones.
Aug 11 13:39:10 slimak knot[22992]: Applied differences of 'fnhk.cz.' to
zonefile.
Aug 11 13:39:10 slimak knot[22992]: Configuration reloaded.
Aug 11 13:39:10 slimak knot[22992]: NOTIFY of 'fnhk.cz.' to
'195.113.115.171@53': Query issued (serial 2014081102).
Aug 11 13:39:10 slimak knot[22992]: NOTIFY of 'fnhk.cz.' to
'195.113.123.91@53': Query issued (serial 2014081102).
Aug 11 13:39:10 slimak knot[22992]: NOTIFY of 'fnhk.cz.' to
'89.248.244.34@53': Query issued (serial 2014081102).
on 7.9.2014 the zone was resigned automatically:
Sep 7 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - Signing zone...
Sep 7 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - - Key is valid, tag 64431,
file Kfnhk.cz.+005+64431.private, ZSK, active, public
Sep 7 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - - Key is valid, tag 26812,
file Kfnhk.cz.+005+26812.private, KSK, active, public
Sep 7 13:39:10 slimak knot[22992]: DNSSEC: Zone fnhk.cz. - Successfully signed.
Sep 7 13:39:11 slimak knot[22992]: NOTIFY of 'fnhk.cz.' to
'195.113.115.171@53': Query issued (serial 2014081103).
Sep 7 13:39:11 slimak knot[22992]: NOTIFY of 'fnhk.cz.' to
'195.113.123.91@53': Query issued (serial 2014081103).
Sep 7 13:39:11 slimak knot[22992]: NOTIFY of 'fnhk.cz.' to
'89.248.244.34@53': Query issued (serial 2014081103).
Sep 7 13:39:11 slimak knot[22992]: DNSSEC: Zone fnhk.cz.: Next signing planned on
2014-10-04T11:39:10.
Sep 7 13:39:11 slimak knot[22992]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.115.171@47363': Started (serial 2014081102 -> 2014081103).
Sep 7 13:39:11 slimak knot[22992]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.115.171@47363': Serial 2014081102 -> 2014081103.
Sep 7 13:39:11 slimak knot[22992]: Outgoing IXFR of 'fnhk.cz.' to
'195.113.115.171@47363': Finished in 0.01s.
And after today's changes knot told me that the signatures was out of date.
I've this similar version of knot on my own server, there is no problem
Any ideas ?
Thanks and best regards
J.Karliak
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users