[knot-dns-users] Refreshing DNSKEY RRset signatures

Jan Včelák jan.vcelak at nic.cz
Thu Aug 20 17:22:55 CEST 2015

Hello Antti,

thank you for the report! You have found a bug.

The DNSKEY RRSIG expiration time is really not considered when planning the 
zone resign. Both the 1.6 and the 2.0 are affected.

The fix for this issue is currently being reviewed [1]. I hope we'll release a 
new Knot DNS patch version during the following week. Stay tuned.

[1] https://gitlab.labs.nic.cz/labs/knot/merge_requests/425

Thanks and Regards,


On Tuesday, August 18, 2015 05:33:11 AM Antti Ristimäki wrote:
> Hi,
> I'm running Knot 2.0.0 and automatically signing my zone with manual key
> management policy. When I manually refreshed the signatures by running
> "knotc signzone <zone>", all the signatures were refreshed as expected,
> except the DNSKEY RRset, whose signature remained untouched. I thought
> this wouldn't be a big deal, as Knot would probably automatically
> refresh DNSKEY RRset signature when about 1/10 of its lifetime will be
> remaining.
> However, when I now look at "knotc zonestatus", it shows that the next
> resigning is scheduled far beyond the exipration of the DNSKEY RRset
> signature. So, is my DNSKEY RRset signature going to be expired or is
> DNSKEY handled in some special way so that it will be eventually
> refreshed before expiring?
> My current DNSKEY RRSIG will expire at 20150828172101:
> nxdomain.fi.		600	IN	RRSIG	DNSKEY 8 2 600 20150828172101 
> 61894 nxdomain.fi. qQJm.....
> But the next resigning is scheduled on 2015-09-14:
> nxdomain.fi.	type=master | serial=2015081708 | DNSSEC resign in
> 647h56m43s | automatic DNSSEC, resigning at: 2015-09-14T02:26:59
> Thanks,
> Antti
> _______________________________________________
> knot-dns-users mailing list
> knot-dns-users at lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

More information about the knot-dns-users mailing list