On 27 Sep 2014, at 22:07, Chris Thompson <[log in to unmask]> wrote:

> While preparing that promised News Summary, I found that the RRSIGs in
> loughborough.ac.uk had become expired. Or rather, they have all reverted
> to covering a week in February 2012, e.g.
> 
> $ dig +cd +dnssec +noall +answer +multi SOA loughborough.ac.uk.
> loughborough.ac.uk. 85916 IN SOA agate.lut.ac.uk. postmaster.lut.ac.uk. (
>                               2012020800 ; serial
>                               7200       ; refresh (2 hours)
>                               900        ; retry (15 minutes)
>                               604800     ; expire (1 week)
>                               14400      ; minimum (4 hours)
>                               )
> loughborough.ac.uk. 85916 IN RRSIG SOA 8 3 86400 (
>                     20120217023452 20120208145343 4281 loughborough.ac.uk.
>                     T/4Dqt6HyXPbFUsaF6P2UkD4MHZv5nxvFxkOczBTk5Jp
>                     WGC/nQu8/LNlssAOdV1xo8nUAq5ft779KpwS5SwUr6oT
>                     yErYhw+50XPRzySJK6YB8ZEfzGmsw3aeajSbHacI6NIj
>                     isUoS0cWE1mYczrSMLoXBu5G+W30is0Girv2FlQ= )
> 
> I expect we all look forward to hearing what happened to cause that!


Ok, should be fixed now.

The problem came about because of a tidy up of DNS server configurations.  At the moment we are in the process of migrating our DNS servers to new hardware (the old hardware is ancient).  As part of this, the configuration is also being tidied up.  Now, we use views at Loughborough with the outside world getting a different view to the campus network.  However, we use opendnssec for signing which doesn’t support views so we can only sign one view.  That means that for the loughborough zone the internal view is signed, and bind uses the internal view zone file for both internal and external views. The DNS servers get the view files from the master by using different source addresses when slaving.  During the tidy up someone must have spotted the loughborough external view was using the internal view source address and corrected it to the external view source address (forgetting why it was using the internal view).  The only external view zone file which existed on the master was a test sign of the zone from 2012 :-(

Lessons to be learned here for lboro.

1. Comment the configuration properly
2. Monitor our external signed view


Regards

Scott Armitage,
Senior IT Services Specialist,
Loughborough University