[Opendnssec-user] RRSIG for hobby.nl expires soon
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jul 5 08:13:11 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have seen this too one time, but in my case OpenDNSSEC did it right,
it was a secondary name server that was not updated properly (e.g.
running a previous serial of the zone) and that's why nagios complained.
You can remove signatures with
> ods-signer clear <zone>
This will clear the internal storage of that zone. Then run
> ods-signer sign <zone>
to immediately sign the zone again.
Best regards,
Matthijs
On 07/04/2012 04:27 PM, Bas van den Dikkenberg wrote:
> Is there way to remove the expired sigs bye hand ?
>
>
> -----Oorspronkelijk bericht----- Van: Scott Armitage
> [mailto:S.P.Armitage at lboro.ac.uk] Verzonden: woensdag 4 juli 2012
> 15:56 Aan: Bas van den Dikkenberg CC:
> opendnssec-user at lists.opendnssec.org Onderwerp: Re:
> [Opendnssec-user] RRSIG for hobby.nl expires soon
>
>
> On 4 Jul 2012, at 14:40, Bas van den Dikkenberg wrote:
>
>> Hi i have problem with rrsig's that are expiring.
>>
>> In the kaspl it states that the rrsig's must be refresh 3d before
>> they expire. But opendnssec doesn't refresh them.
>>
>> This is in my kaspl.xml
>>
>> <Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh>
>> <Validity> <Default>P7D</Default> <Denial>P7D</Denial>
>> </Validity> <Jitter>PT12H</Jitter>
>> <InceptionOffset>PT3600S</InceptionOffset> </Signatures>
>>
>>
>>
>> But nagios reports: WARNING: check_dnssec_expiration - RRSIG for
>> hobby.nl expires soon (20120705141400).
>>
>> Any sugestions ?
>>
>
>
> I have noticed the same problem. I have had time to look into so
> hadn't posted to the list. Whilst ODS never lets the signatures
> expire, it does seem to operate outside of its refresh window.
>
>
>
> Scott Armitage Loughborough University
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP9UyXAAoJEA8yVCPsQCW5u7kH/2v//qo9peqjEjetb1K9JnhX
pKhhlzcohIs00+REbjn7QO/QlZzLmkHvPZ/Nq5L+HX0y47Yr2sPG/lCer1ID5uPX
lwaJ03oMapoM8URVdSQun1VkEseoWv81C7nDQbhZatPzDH0S3oBABFsTcuc9/bkU
5H04u83x+cs7Iv2bNf3Lo3DwPn68L5XMCnQM/UOrzwIfzFbsS47tEgYmkGefESZn
NTwcPpiUbGZh8EOC5fK7u/97cQhJAidyqpdBuoP5uKLYD3GgqmGmAszFo6YEN9ZD
SK07XZxpLHJkSbqi+VJeeXFhSr9Qf+OFU7cR52cXasfQbzTaWlQ+KuOgprxFr8U=
=EjjV
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list