Bind9 - DNSKEY: verify failed due to bad signature (keyid=123456): RRSIG has expired

root's picture

If your DNS server no longer resolves non-authoritative queries (e.g. not your domains but yahoo.com or whatever.org) and you see this error in named logs:

25-Mar-2020 16:52:52.406 validating @0x7f87047d80d0: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): RRSIG has expired
25-Mar-2020 16:52:52.406 validating @0x7f87047d80d0: dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'dlv.isc.org'
25-Mar-2020 16:52:52.406 validating @0x7f87047d80d0: dlv.isc.org DNSKEY: please check the 'trusted-keys' for 'dlv.isc.org' in named.conf.

This means either the entry from trusted-keys in named.conf or the values from bind.keys expired.

You can follow https://www.isc.org/bind-keys/ if you can figure out how to go trough that puzzle.
What I did was much simpler. Read on.

The command dig . dnskey +dnssec will show you DNS keys needed to be put in your configuration file:

19:53:10 root@gate:bind# dig . dnskey +dnssec

; <<>> DiG 9.9.5-9+deb8u18-Debian <<>> . dnskey +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9090
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;.				IN	DNSKEY

;; ANSWER SECTION:
.			7523	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.			7523	IN	DNSKEY	256 3 8 AwEAAc4qsciJ5MdMUIu4n/pSTsSiU9OCyAanPTe5TcMX4v1hxhpFwiTG QUv3BXT6IAO4litrZKTUaj4vitqHW1+RQsHn3k/gSvt7FwyQwpy0mEnS hBgr6RQiGtlBODNY67sTl+W8M/b6SLTAaaDri3BO5u6wrDs149rMELJA doVBjmXW+zRH3kZzh3lwyTZsYtk7L+3DYbTiiHq+sRB4F9XoBPAz5Psv 4q4EiPq07nW3acbW84zTz3CyQUmQkJT9VB1oUKHz6sNoyccqzcMX4q1G HAYpQ7FAXlKMxidoN1Ay5DWANgTmgJXzKhcI2nIZoq1x3yq4814O1LQd 9QP68gI37+0=
.			7523	IN	DNSKEY	256 3 8 AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU=
.			7523	IN	RRSIG	DNSKEY 8 0 172800 20200411000000 20200321000000 20326 . a+gSnbQVAQg3MEAg8R8X3O7MY6eu2SyoWbkZqGFomwS3KSAJ1qkWGXSR xh1CwdyW7mBjVBd6ptKWofiVOn/abD5EJf1cLnktSKjMuarpqI1qWwz1 PKi9Ch625jzf+jGn+2CPGSfsd7tpkbjDvirrze/NHckTrtTvZ2esV2Bn PEU87F2I7Bfw603LQS1TbciF1i7k9qsZqYain3whVQrMso7CFhX4jJmr 0x+UfO5Cpmm8CWd6Pgmp+EIZJ4vmPzvpC58RUY1wc/M18CzVZpmPvQAN ywtaHNN/urDDsvibKAeQNdJ07OFBiR9+J2SoCl8aIVfu6PMIKIfyeYAn xLj6KQ==

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Mar 25 19:53:12 EET 2020
;; MSG SIZE  rcvd: 1139

I took the fist line from "ANSWER SECTION" and updated my trusted-keys entry in named.conf like in the example below:

19:56:00 root@gate:bind# grep -A 2 trusted-keys named.conf
trusted-keys {
	. 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
	};

Also, my previous trusted key was dlv.isc.org. and I had this configured in named.conf, which now is disabled:
dnssec-lookaside . trust-anchor dlv.isc.org.;

Of course, restart of name server is required.

DONE!

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.