[Opendnssec-develop] RE: Signing back-offs
matthijs at nlnetlabs.nl
Thu Jul 12 11:47:11 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 07/12/2012 12:58 PM, Sara (Sinodun) wrote:
> Hi All,
> There seems to be a lot of traffic on the users list about problems
> with signature expiry dates and signing back-offs for various
> reasons. Some issues have been traced to:
> - use of the auditor. (This can be addresses by disabling the
> auditor.) - configuration issues
> however there are a couple we haven't been able to get the bottom
> of, or are still waiting for logs to investigate. I know that Paul,
> in particular, has a sense that 1.3 is unreliable in this regard. I
> have opened this thread to tackle the following:
> 1) Do we think there is an underlying issue and if so can we form a
> plan to investigate.
It is interesting to see that all come reasonably at the same time,
and some one suggested it could be related to the leap second story.
However, I lack knowledge on that topic at the moment to fully
understand how it could interfere with the OpenDNSSEC timings.
> 2) Paul - please make us aware of any specific issues on this that
> have been reported but you think merit further investigation. (I
> believe https://issues.opendnssec.org/browse/SUPPORT-22 is in this
> category?) We absolutely want to know about and fix issues in 1.3.
> 3) Can we think of any improvements to tools or monitoring,
> documentation, etc that would help users detect signing back-off
> issues earlier?
You can run nagios to monitor your zones. It can tell you when a
signature is about to expire. I guess that the duration is
configurable, so you can set it to equal the Refresh value, so at the
moment nagios complains you know that a signature has not been
> _______________________________________________ Opendnssec-develop
> mailing list Opendnssec-develop at lists.opendnssec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop