Hi Daniel
On 03.10.2017 09:21, Daniel Salzman wrote:
If the automatic signing is enabled, Knot should
remove all unknown or expired RRSIGs automatically
during re-signing. So it is very suspicious.
What the server prints to the log upon `knotc zone-sign ...`? Could you please send me
the whole server log?
2017-10-03T10:01:44 info: [
example.com.] zone will be loaded
2017-10-03T10:01:44 notice: [
example.com.] journal, obsolete exists,
file '/var/lib/knot/example.com.db'
2017-10-03T10:01:44 info: [
example.com.] changes from journal applied
1506932669 -> 1507016770
2017-10-03T10:01:44 info: [
example.com.] DNSSEC, loaded key, tag 47100,
algorithm 13, KSK no, ZSK yes, public yes, ready yes, active yes
2017-10-03T10:01:44 info: [
example.com.] DNSSEC, loaded key, tag 25437,
algorithm 13, KSK yes, ZSK no, public yes, ready yes, active yes
2017-10-03T10:01:44 info: [
example.com.] DNSSEC, signing started
2017-10-03T10:01:44 info: [
example.com.] DNSSEC, zone is up-to-date
2017-10-03T10:01:44 info: [
example.com.] loaded, serial 1507016770
2017-10-03T10:01:44 info: [
example.com.] DNSSEC, next signing at
2017-10-10T09:44:00
2017-10-03T10:01:53 info: [
example.com.] notify, outgoing,
203.0.113.1@53: serial 1507016770
2017-10-03T10:01:53 info: [
example.com.] notify, outgoing, 192.0.2.1@53:
serial 1507016770
2017-10-03T10:02:12 info: [
example.com.] control, received command
'zone-sign'
2017-10-03T10:02:12 info: [
example.com.] DNSSEC, dropping previous
signatures, resigning zone
2017-10-03T10:02:12 info: [
example.com.] DNSSEC, loaded key, tag 47100,
algorithm 13, KSK no, ZSK yes, public yes, ready yes, active yes
2017-10-03T10:02:12 info: [
example.com.] DNSSEC, loaded key, tag 25437,
algorithm 13, KSK yes, ZSK no, public yes, ready yes, active yes
2017-10-03T10:02:12 info: [
example.com.] DNSSEC, signing started
2017-10-03T10:02:12 info: [
example.com.] DNSSEC, successfully signed
2017-10-03T10:02:12 info: [
example.com.] DNSSEC, next signing at
2017-10-10T10:02:12
2017-10-03T10:02:12 info: [
example.com.] notify, outgoing,
203.0.113.1@53: serial 1507017732
2017-10-03T10:02:12 info: [
example.com.] IXFR, outgoing,
203.0.113.1@46104: started, serial 1507016770 -> 1507017732
2017-10-03T10:02:12 info: [
example.com.] IXFR, outgoing,
203.0.113.1@46104: finished, 0.00 seconds, 1 messages, 15856 bytes
2017-10-03T10:02:12 info: [
example.com.] notify, outgoing, 192.0.2.1@53:
serial 1507017732
2017-10-03T10:02:12 info: [
example.com.] IXFR, outgoing,
192.0.2.1@55378: started, serial 1507016770 -> 1507017732
2017-10-03T10:02:12 info: [
example.com.] IXFR, outgoing,
192.0.2.1@55378: finished, 0.00 seconds, 1 messages, 15856 bytes
I did not check correctly before as it seems. The master indeed does
only serve the correct RRSIGs. It turns out it was the slaves (knot
as-well) that somehow still served the old RRSIGs but otherwise an
up-to-date zone. I did purge the zones from the slaves now (knotc -f
zone-purge && knotc reload) and now the slaves serve the correct RRSIGs
as-well.
Lets see if this reoccurs, otherwise sorry for the noise.
Regards
André