[Opendnssec-user] RRSIG for hobby.nl expires soon

Bas van den Dikkenberg bas at dikkenberg.net
Wed Jul 4 14:27:55 UTC 2012

Is there way to remove the expired sigs bye hand ?

-----Oorspronkelijk bericht-----
Van: Scott Armitage [mailto:S.P.Armitage at lboro.ac.uk] 
Verzonden: woensdag 4 juli 2012 15:56
Aan: Bas van den Dikkenberg
CC: opendnssec-user at lists.opendnssec.org
Onderwerp: Re: [Opendnssec-user] RRSIG for hobby.nl expires soon

On 4 Jul 2012, at 14:40, Bas van den Dikkenberg wrote:

> Hi i have problem with rrsig's that are expiring.
> In the kaspl it states that the rrsig's must be refresh 3d before they expire.
> But opendnssec doesn't refresh them.
> This is in my kaspl.xml
>                <Signatures>
>                        <Resign>PT2H</Resign>
>                        <Refresh>P3D</Refresh>
>                        <Validity>
>                                <Default>P7D</Default>
>                                <Denial>P7D</Denial>
>                        </Validity>
>                        <Jitter>PT12H</Jitter>
>                        <InceptionOffset>PT3600S</InceptionOffset>
>                </Signatures>
> But nagios reports: WARNING: check_dnssec_expiration - RRSIG for hobby.nl expires soon (20120705141400).
> Any sugestions ?

I have noticed the same problem. I have had time to look into so hadn't posted to the list.  Whilst ODS never lets the signatures expire, it does seem to operate outside of its refresh window.

Scott Armitage
Loughborough University

More information about the Opendnssec-user mailing list