[Opendnssec-user] RRSIG for hobby.nl expires soon

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jul 5 08:13:11 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have seen this too one time, but in my case OpenDNSSEC did it right,
it was a secondary name server that was not updated properly (e.g.
running a previous serial of the zone) and that's why nagios complained.

You can remove signatures with

> ods-signer clear <zone>

This will clear the internal storage of that zone. Then run

> ods-signer sign <zone>

to immediately sign the zone again.

Best regards,
  Matthijs

On 07/04/2012 04:27 PM, Bas van den Dikkenberg wrote:
> Is there way to remove the expired sigs bye hand ?
> 
> 
> -----Oorspronkelijk bericht----- Van: Scott Armitage
> [mailto:S.P.Armitage at lboro.ac.uk] Verzonden: woensdag 4 juli 2012
> 15:56 Aan: Bas van den Dikkenberg CC:
> opendnssec-user at lists.opendnssec.org Onderwerp: Re:
> [Opendnssec-user] RRSIG for hobby.nl expires soon
> 
> 
> On 4 Jul 2012, at 14:40, Bas van den Dikkenberg wrote:
> 
>> Hi i have problem with rrsig's that are expiring.
>> 
>> In the kaspl it states that the rrsig's must be refresh 3d before
>> they expire. But opendnssec doesn't refresh them.
>> 
>> This is in my kaspl.xml
>> 
>> <Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> 
>> <Validity> <Default>P7D</Default> <Denial>P7D</Denial> 
>> </Validity> <Jitter>PT12H</Jitter> 
>> <InceptionOffset>PT3600S</InceptionOffset> </Signatures>
>> 
>> 
>> 
>> But nagios reports: WARNING: check_dnssec_expiration - RRSIG for
>> hobby.nl expires soon (20120705141400).
>> 
>> Any sugestions ?
>> 
> 
> 
> I have noticed the same problem. I have had time to look into so
> hadn't posted to the list.  Whilst ODS never lets the signatures
> expire, it does seem to operate outside of its refresh window.
> 
> 
> 
> Scott Armitage Loughborough University 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP9UyXAAoJEA8yVCPsQCW5u7kH/2v//qo9peqjEjetb1K9JnhX
pKhhlzcohIs00+REbjn7QO/QlZzLmkHvPZ/Nq5L+HX0y47Yr2sPG/lCer1ID5uPX
lwaJ03oMapoM8URVdSQun1VkEseoWv81C7nDQbhZatPzDH0S3oBABFsTcuc9/bkU
5H04u83x+cs7Iv2bNf3Lo3DwPn68L5XMCnQM/UOrzwIfzFbsS47tEgYmkGefESZn
NTwcPpiUbGZh8EOC5fK7u/97cQhJAidyqpdBuoP5uKLYD3GgqmGmAszFo6YEN9ZD
SK07XZxpLHJkSbqi+VJeeXFhSr9Qf+OFU7cR52cXasfQbzTaWlQ+KuOgprxFr8U=
=EjjV
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list