[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)

Volker Janzen voja at voja.de
Tue Dec 10 10:08:35 UTC 2013


Hi,

I setup the dnssec_monitor.rb from OpenDNSSEC a few days ago. I got 
the first alarm today.

Current Status: CRITICAL (for 0d 8h 42m 55s)
Status Information: (Return code of 4 is out of bounds)

Console output:

6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
6 : (a.dnssecns.de): Adding ksk : 53095
6 : (a.dnssecns.de): Adding zsk : 64429
6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
4 : (a.dnssecns.de): KSK(key_tag 53095): RRSIG for dnssec.cc,DNSKEY 
will expire in 11.6381365740741 days (kskwarn is 12.0)
6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
6 : (a.dnssecns.de): dnssec.cc, NS verified OK
6 : (a.dnssecns.de): Checking non-existing domain for 
dklfjhwiouy4r9cefuyenwfuyenw.dnssec.cc, NS
6 : Finished checking on a.dnssecns.de(a.dnssecns.de)

I think I might have a configuration error in OpenDNSSEC. I want it to 
resign the whole zone once in 14 days, that Nagios starts warning me 12 
days before it expires. My kasp.xml should be default:

<?xml version="1.0" encoding="UTF-8"?>

<!--

  NOTE:  The default policy below is a TEMPLATE ONLY and should be 
reviewed
         before used in any production environment. The administrator 
should
         consult the OpenDNSSEC documentation before changing any 
parameters.

         If you can read this message, it is likely that this file has 
not
         been reviewed nor updated.

  -->

<KASP>

        <Policy name="default">
                <Description>A default policy that will amaze you and 
your friends</Description>
                <Signatures>
                        <Resign>PT2H</Resign>
                        <Refresh>P3D</Refresh>
                        <Validity>
                                <Default>P14D</Default>
                                <Denial>P14D</Denial>
                        </Validity>
                        <Jitter>PT12H</Jitter>
                        <InceptionOffset>PT3600S</InceptionOffset>
                </Signatures>

                <Denial>
                        <NSEC3>
                                <!-- <OptOut/> -->
                                <Resalt>P100D</Resalt>
                                <Hash>
                                        <Algorithm>1</Algorithm>
                                        <Iterations>5</Iterations>
                                        <Salt length="8"/>
                                </Hash>
                        </NSEC3>
                </Denial>

                <Keys>
                        <!-- Parameters for both KSK and ZSK -->
                        <TTL>PT3600S</TTL>
                        <RetireSafety>PT3600S</RetireSafety>
                        <PublishSafety>PT3600S</PublishSafety>
                        <!-- <ShareKeys/> -->
                        <Purge>P14D</Purge>

                        <!-- Parameters for KSK only -->
                        <KSK>
                                <Algorithm length="2048">8</Algorithm>
                                <Lifetime>P1Y</Lifetime>
                                <Repository>SoftHSM</Repository>
                        </KSK>

                        <!-- Parameters for ZSK only -->
                        <ZSK>
                                <Algorithm length="1024">8</Algorithm>
                                <Lifetime>P90D</Lifetime>
                                <Repository>SoftHSM</Repository>
                                <!-- <ManualRollover/> -->
                        </ZSK>
                </Keys>

                <Zone>
                        <PropagationDelay>PT43200S</PropagationDelay>
                        <SOA>
                                <TTL>PT3600S</TTL>
                                <Minimum>PT3600S</Minimum>
                                <Serial>unixtime</Serial>
                        </SOA>
                </Zone>

                <Parent>
                        <PropagationDelay>PT9999S</PropagationDelay>
                        <DS>
                                <TTL>PT3600S</TTL>
                        </DS>
                        <SOA>
                                <TTL>PT172800S</TTL>
                                <Minimum>PT10800S</Minimum>
                        </SOA>
                </Parent>

        </Policy>

        <Policy name="lab">
                <Description>Quick turnaround policy for lab 
work</Description>
                <Signatures>
                        <Resign>PT10M</Resign>
                        <Refresh>PT30M</Refresh>
                        <Validity>
                                <Default>PT1H</Default>
                                <Denial>PT1H</Denial>
                        </Validity>
                        <Jitter>PT1M</Jitter>
                        <InceptionOffset>PT3600S</InceptionOffset>
                </Signatures>

                <Denial>
                        <NSEC/>
                </Denial>

                <Keys>
                        <!-- Parameters for both KSK and ZSK -->
                        <TTL>PT300S</TTL>
                        <RetireSafety>PT360S</RetireSafety>
                        <PublishSafety>PT360S</PublishSafety>
                        <!-- <ShareKeys/> -->
                        <Purge>P14D</Purge>

                        <!-- Parameters for KSK only -->
                        <KSK>
                                <Algorithm length="2048">8</Algorithm>
                                <Lifetime>P1Y</Lifetime>
                                <Repository>SoftHSM</Repository>
                        </KSK>

                        <!-- Parameters for ZSK only -->
                        <ZSK>
                                <Algorithm length="1024">8</Algorithm>
                                <Lifetime>PT4H</Lifetime>
                                <Repository>SoftHSM</Repository>
                                <!-- <ManualRollover/> -->
                        </ZSK>
                </Keys>

                <Zone>
                        <PropagationDelay>PT300S</PropagationDelay>
                        <SOA>
                                <TTL>PT300S</TTL>
                                <Minimum>PT300S</Minimum>
                                <Serial>unixtime</Serial>
                        </SOA>
                </Zone>

                <Parent>
                        <PropagationDelay>PT9999S</PropagationDelay>
                        <DS>
                                <TTL>PT3600S</TTL>
                        </DS>
                        <SOA>
                                <TTL>PT172800S</TTL>
                                <Minimum>PT10800S</Minimum>
                        </SOA>
                </Parent>

        </Policy>
</KASP>

zonelist.xml Snipped:

        <Zone name="dnssec.cc">
                <Policy>default</Policy>
                
<SignerConfiguration>/var/lib/opendnssec/signconf/dnssec.cc.xml</SignerConfiguration>
                <Adapters>
                        <Input>
                                <Adapter 
type="File">/var/lib/opendnssec/unsigned/dnssec.cc</Adapter>
                        </Input>
                        <Output>
                                <Adapter 
type="File">/var/lib/opendnssec/signed/dnssec.cc</Adapter>
                        </Output>
                </Adapters>
        </Zone>

/var/lib/opendnssec/signconf/dnssec.cc.xml

<SignerConfiguration>
        <Zone name="dnssec.cc">
                <Signatures>
                        <Resign>PT7200S</Resign>
                        <Refresh>PT259200S</Refresh>
                        <Validity>
                                <Default>PT1209600S</Default>
                                <Denial>PT1209600S</Denial>
                        </Validity>
                        <Jitter>PT43200S</Jitter>
                        <InceptionOffset>PT3600S</InceptionOffset>
                </Signatures>

                <Denial>
                        <NSEC3>
                                <Hash>
                                        <Algorithm>1</Algorithm>
                                        <Iterations>5</Iterations>
                                        <Salt>d54b080aa874f308</Salt>
                                </Hash>
                        </NSEC3>
                </Denial>

                <Keys>
                        <TTL>PT3600S</TTL>
                        <Key>
                                <Flags>257</Flags>
                                <Algorithm>8</Algorithm>
                                
<Locator>b9b1b3c9f51242b3f4f23d713c65adbb</Locator>
                                <KSK />
                                <Publish />
                        </Key>

                        <Key>
                                <Flags>256</Flags>
                                <Algorithm>8</Algorithm>
                                
<Locator>d1f3f642a33a028426d7d1e391e5e03c</Locator>
                                <ZSK />
                                <Publish />
                        </Key>

                </Keys>

                <SOA>
                        <TTL>PT3600S</TTL>
                        <Minimum>PT3600S</Minimum>
                        <Serial>unixtime</Serial>
                </SOA>
        </Zone>
</SignerConfiguration>


Regards,
   Volker




More information about the Opendnssec-user mailing list