Article ID: 130571, created on Apr 4, 2017, last review on Apr 4, 2017

  • Applies to:
  • Operations Automation 7.0

Questions

For a DNSSEC-enabled domain in OA, the following error is shown on zone validation or during BIND service start-up:

[root@ns1 ~]# named-checkzone -d example.com. /var/named/example.com.
loading "example.com." from "/var/named/example.com." class "IN"
/var/named/example.com.:1: no TTL specified; using SOA MINTTL instead
/var/named/example.com.:6: signature has expired
zone example.com/IN: loaded serial 281 (DNSSEC signed)
OK

Cause

The issue is recognized as POA-110780: Too long expiration date for RRSIG/KSK/ZSK causes BIND validation errors.

Resolution

There is no impact on DNS resolution for the affected domains by this issue. There is no workarounds to fix the warnings - any zone update triggered from OA will re-write the expiration date of DNSSEC keys.

Contact your TAM/PTA team in order to clarify the status of the issue.

Search Words

RRSIG has expiration date

DNSSEC

zone signature has expired for DNSSEC

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 0871c0b47b3b86ae3b1af4c2942cd0ce 1941880841f714e458ae4dc3d9f3062d

Email subscription for changes to this article
Save as PDF