Hi,
I've enabled DNSSEC on a few zones. The signatures on the zones seems to be valid for 35 days and seem to be renewed on the 1st of every month. However, It seems that the zone is not reloaded in Bind (rndc reload), so it will still serve the old (signed) zonefile (which triggered my monitoring system about the expiring signature on the zone). After a manual "rndc reload <zone.tld>", the new signed zone file has been loaded and the correct zonefile is used.
Obviously DA should take care of reloading the zone data. Can there be some problem on my system preventing this from happening? Or is this a possible bug?
I'm running DA 1.63.0 on Ubuntu 18.04
For now I will schedule a monthly "rndc reload" cronjob to make sure the latest signatures are loaded.
Another thing I noticed is that NSEC is used instead of NSEC3 which exposes dns records. Is this done on purpose? Can this be changed? I'd rather not expose configured records.
I've enabled DNSSEC on a few zones. The signatures on the zones seems to be valid for 35 days and seem to be renewed on the 1st of every month. However, It seems that the zone is not reloaded in Bind (rndc reload), so it will still serve the old (signed) zonefile (which triggered my monitoring system about the expiring signature on the zone). After a manual "rndc reload <zone.tld>", the new signed zone file has been loaded and the correct zonefile is used.
Obviously DA should take care of reloading the zone data. Can there be some problem on my system preventing this from happening? Or is this a possible bug?
I'm running DA 1.63.0 on Ubuntu 18.04
For now I will schedule a monthly "rndc reload" cronjob to make sure the latest signatures are loaded.
Another thing I noticed is that NSEC is used instead of NSEC3 which exposes dns records. Is this done on purpose? Can this be changed? I'd rather not expose configured records.
Who knows this may help someone else at some point.