[Opendnssec-develop] RE: Signing back-offs

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jul 12 11:47:11 UTC 2012

Hash: SHA1

On 07/12/2012 12:58 PM, Sara (Sinodun) wrote:
> Hi All,
> There seems to be a lot of traffic on the users list about problems
> with signature expiry dates and signing back-offs for various
> reasons.  Some issues have been traced to:
> - use of the auditor. (This can be addresses by disabling the
> auditor.) - configuration issues
> however there are a couple we haven't been able to get the bottom
> of, or are still waiting for logs to investigate. I know that Paul,
> in particular, has a sense that 1.3 is unreliable in this regard. I
> have opened this thread to tackle the following:
> 1) Do we think there is an underlying issue and if so can we form a
> plan to investigate.

It is interesting to see that all come reasonably at the same time,
and some one suggested it could be related to the leap second story.
However, I lack knowledge on that topic at the moment to fully
understand how it could interfere with the OpenDNSSEC timings.

> 2) Paul - please make us aware of any specific issues on this that
> have been reported but you think merit further investigation. (I 
> believe https://issues.opendnssec.org/browse/SUPPORT-22 is in this 
> category?) We absolutely want to know about and fix issues in 1.3.
> 3) Can we think of any improvements to tools or monitoring, 
> documentation, etc that would help users detect signing back-off
> issues earlier?

You can run nagios to monitor your zones. It can tell you when a
signature is about to expire. I guess that the duration is
configurable, so you can set it to equal the Refresh value, so at the
moment nagios complains you know that a signature has not been
properly refreshed.

Best regards,


> Sara.
> _______________________________________________ Opendnssec-develop
> mailing list Opendnssec-develop at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-develop mailing list