A few weeks ago (Feb 6) I had a domain (2 in total, plus subdomains) not getting the DNSSEC signed automatically.
There are no errors that I know of, so I had to sign it manually (since the domain and subdomains were offline), and then I looked for a solution.
On the DA page it says it is done monthly, and you do not need to put it in your crontab.
"MONTHLY RESET will automatically re-sign all zones that have keys and already signed"
Thank you for giving the solution: I added
echo "action=rewrite&value=dnssec" >> /usr/local/directadmin/data/task.queue in my crontab to run every Sunday morning.
Today on an different server with a DNSSEC domain I got called by the customer: domains are offline!
And sure thing: DA did not sign this domain automatically.
So I signed the domain, and again added the cronjob task.
Would this be sufficient?
I went back to the previous server, and see that the domains on that server have not been signed 'automatically'. They are on the same date (Feb 6).
I am now wondering. Does "action=rewrite&value=dnssec" only work on expired signed domains?
If that is the case, then I would need to run it every day, and that would be acceptable to me (even though it is not my duty to process this, DA should have to do this).
There may be a catch. Perhaps DA renews when DNSSEC is exactly 30 days ago signed? Because the real expiration for the signature is 'last date updated + 35 days', example:
Signed Feb 6 03:14 2023 Expiry: Mar 13 03:14 2023
What now happens is that I am forced to keep an eye on this daily. Unless DA fixes this problem.
To mitigate, I updated the cron and have it check daily. In March I will see if this helped (unless DA debugs and solves this).
DA is updating itself very often with 'micro fixes' so my servers are always up to date, I do have the latest version available.
Before Feb 6 I did not have this problem (the domains were signed monthly as I added DNSSEC over a year ago), so it is a new bug and no one noticed it.
Does anyone else have this issue, or am I the only one? (I don't have support otherwise I would ask DA directly).
There are no errors that I know of, so I had to sign it manually (since the domain and subdomains were offline), and then I looked for a solution.
On the DA page it says it is done monthly, and you do not need to put it in your crontab.
"MONTHLY RESET will automatically re-sign all zones that have keys and already signed"
Thank you for giving the solution: I added
echo "action=rewrite&value=dnssec" >> /usr/local/directadmin/data/task.queue in my crontab to run every Sunday morning.
Today on an different server with a DNSSEC domain I got called by the customer: domains are offline!
And sure thing: DA did not sign this domain automatically.
So I signed the domain, and again added the cronjob task.
Would this be sufficient?
I went back to the previous server, and see that the domains on that server have not been signed 'automatically'. They are on the same date (Feb 6).
I am now wondering. Does "action=rewrite&value=dnssec" only work on expired signed domains?
If that is the case, then I would need to run it every day, and that would be acceptable to me (even though it is not my duty to process this, DA should have to do this).
There may be a catch. Perhaps DA renews when DNSSEC is exactly 30 days ago signed? Because the real expiration for the signature is 'last date updated + 35 days', example:
Signed Feb 6 03:14 2023 Expiry: Mar 13 03:14 2023
What now happens is that I am forced to keep an eye on this daily. Unless DA fixes this problem.
To mitigate, I updated the cron and have it check daily. In March I will see if this helped (unless DA debugs and solves this).
DA is updating itself very often with 'micro fixes' so my servers are always up to date, I do have the latest version available.
Before Feb 6 I did not have this problem (the domains were signed monthly as I added DNSSEC over a year ago), so it is a new bug and no one noticed it.
Does anyone else have this issue, or am I the only one? (I don't have support otherwise I would ask DA directly).
