2

I have followed this tutorial to configure DNSsec:

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2

If you don't modify your zone, do you ever need to redo anything like in case of letsencrypt or other certificates they need renewal?

I have these 2 zone files recreated daily by bind automatically, there is no cron task for it so I assume bind does this automatically every day.

-rw-r--r--  1 _bind  _bind  22853 Mar 28 09:11 domain.se.signed
-rw-r--r--  1 _bind  _bind  78526 Mar 28 08:59 domain.se.signed.jnl
nft
  • 21
  • 1

1 Answers1

1

Yes, the signatures (RRSIG records) have a limited validity.

Here's an example for the iis.se domain: iis.se. 3600 IN RRSIG A 5 2 3600 20210407095501 20210328095501 The 2 numbers starting with 2021 are the "not valid before" and "not valid after" timestamps for this particular RRSET.

If your DNS software does not do on the fly signing (which I think named doesn't do), you have to sign and refresh the zone again before the RRSIG records expire.

Named can however take care of this for you, using the auto-dnssec maintain setting.

arjarj
  • 3,101
  • 1
  • 17
  • 10
  • 1
    Thumbs up for `auto-dnssec maintain`, which really is the sensible option. Also see https://ftp.isc.org/isc/dnssec-guide/html/dnssec-guide.html#easy-start-guide-for-authoritative-servers for a brief guide on that. – Håkan Lindqvist Mar 29 '21 at 11:44