[Opendnssec-develop] RE: Signing back-offs
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jul 12 11:47:11 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/12/2012 12:58 PM, Sara (Sinodun) wrote:
> Hi All,
>
> There seems to be a lot of traffic on the users list about problems
> with signature expiry dates and signing back-offs for various
> reasons. Some issues have been traced to:
>
> - use of the auditor. (This can be addresses by disabling the
> auditor.) - configuration issues
>
> however there are a couple we haven't been able to get the bottom
> of, or are still waiting for logs to investigate. I know that Paul,
> in particular, has a sense that 1.3 is unreliable in this regard. I
> have opened this thread to tackle the following:
>
> 1) Do we think there is an underlying issue and if so can we form a
> plan to investigate.
It is interesting to see that all come reasonably at the same time,
and some one suggested it could be related to the leap second story.
However, I lack knowledge on that topic at the moment to fully
understand how it could interfere with the OpenDNSSEC timings.
>
> 2) Paul - please make us aware of any specific issues on this that
> have been reported but you think merit further investigation. (I
> believe https://issues.opendnssec.org/browse/SUPPORT-22 is in this
> category?) We absolutely want to know about and fix issues in 1.3.
>
> 3) Can we think of any improvements to tools or monitoring,
> documentation, etc that would help users detect signing back-off
> issues earlier?
You can run nagios to monitor your zones. It can tell you when a
signature is about to expire. I guess that the duration is
configurable, so you can set it to equal the Refresh value, so at the
moment nagios complains you know that a signature has not been
properly refreshed.
Best regards,
Matthijs
>
> Sara.
>
>
>
>
>
> _______________________________________________ Opendnssec-develop
> mailing list Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP/rk/AAoJEA8yVCPsQCW5nvMIAKpSPP4HZPkH7Hj+lmA/L0BA
jCXvLUyq86YBiKoo89ZjxxoK4Mr0QFDA6OOp3B4aQFFd6I8cqGutF59OOmBg6hVJ
FVGyuffuZ+qh7Zino9/j18Usj69bzPTkSaHv71lMK6IoE+spi9bv9jyhTw+W9shr
hN+E8BT7mTYjQEc+MVGr3OgR4FYQ0eNUwY77VGTI5w52k28EPkoADTIEwC2z/Ojq
acjfdJ+HahLmyBDykBWKyq+q8sKnjBAa2vOvhzZahXFBAE2wOxlWWbLV0vjRjsXu
1tQtU6Utx1rLkwCxkTHPEUbqKZqrpVB5bYjhlq8FMNQZDfxt3vEYbI/AheUK3F4=
=rv2Z
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list