[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)
Volker Janzen
voja at voja.de
Tue Dec 10 10:08:35 UTC 2013
Hi,
I setup the dnssec_monitor.rb from OpenDNSSEC a few days ago. I got
the first alarm today.
Current Status: CRITICAL (for 0d 8h 42m 55s)
Status Information: (Return code of 4 is out of bounds)
Console output:
6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
6 : (a.dnssecns.de): Adding ksk : 53095
6 : (a.dnssecns.de): Adding zsk : 64429
6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
4 : (a.dnssecns.de): KSK(key_tag 53095): RRSIG for dnssec.cc,DNSKEY
will expire in 11.6381365740741 days (kskwarn is 12.0)
6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
6 : (a.dnssecns.de): dnssec.cc, NS verified OK
6 : (a.dnssecns.de): Checking non-existing domain for
dklfjhwiouy4r9cefuyenwfuyenw.dnssec.cc, NS
6 : Finished checking on a.dnssecns.de(a.dnssecns.de)
I think I might have a configuration error in OpenDNSSEC. I want it to
resign the whole zone once in 14 days, that Nagios starts warning me 12
days before it expires. My kasp.xml should be default:
<?xml version="1.0" encoding="UTF-8"?>
<!--
NOTE: The default policy below is a TEMPLATE ONLY and should be
reviewed
before used in any production environment. The administrator
should
consult the OpenDNSSEC documentation before changing any
parameters.
If you can read this message, it is likely that this file has
not
been reviewed nor updated.
-->
<KASP>
<Policy name="default">
<Description>A default policy that will amaze you and
your friends</Description>
<Signatures>
<Resign>PT2H</Resign>
<Refresh>P3D</Refresh>
<Validity>
<Default>P14D</Default>
<Denial>P14D</Denial>
</Validity>
<Jitter>PT12H</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<!-- <OptOut/> -->
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt length="8"/>
</Hash>
</NSEC3>
</Denial>
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT43200S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>unixtime</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT9999S</PropagationDelay>
<DS>
<TTL>PT3600S</TTL>
</DS>
<SOA>
<TTL>PT172800S</TTL>
<Minimum>PT10800S</Minimum>
</SOA>
</Parent>
</Policy>
<Policy name="lab">
<Description>Quick turnaround policy for lab
work</Description>
<Signatures>
<Resign>PT10M</Resign>
<Refresh>PT30M</Refresh>
<Validity>
<Default>PT1H</Default>
<Denial>PT1H</Denial>
</Validity>
<Jitter>PT1M</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC/>
</Denial>
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT300S</TTL>
<RetireSafety>PT360S</RetireSafety>
<PublishSafety>PT360S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>PT4H</Lifetime>
<Repository>SoftHSM</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT300S</PropagationDelay>
<SOA>
<TTL>PT300S</TTL>
<Minimum>PT300S</Minimum>
<Serial>unixtime</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT9999S</PropagationDelay>
<DS>
<TTL>PT3600S</TTL>
</DS>
<SOA>
<TTL>PT172800S</TTL>
<Minimum>PT10800S</Minimum>
</SOA>
</Parent>
</Policy>
</KASP>
zonelist.xml Snipped:
<Zone name="dnssec.cc">
<Policy>default</Policy>
<SignerConfiguration>/var/lib/opendnssec/signconf/dnssec.cc.xml</SignerConfiguration>
<Adapters>
<Input>
<Adapter
type="File">/var/lib/opendnssec/unsigned/dnssec.cc</Adapter>
</Input>
<Output>
<Adapter
type="File">/var/lib/opendnssec/signed/dnssec.cc</Adapter>
</Output>
</Adapters>
</Zone>
/var/lib/opendnssec/signconf/dnssec.cc.xml
<SignerConfiguration>
<Zone name="dnssec.cc">
<Signatures>
<Resign>PT7200S</Resign>
<Refresh>PT259200S</Refresh>
<Validity>
<Default>PT1209600S</Default>
<Denial>PT1209600S</Denial>
</Validity>
<Jitter>PT43200S</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt>d54b080aa874f308</Salt>
</Hash>
</NSEC3>
</Denial>
<Keys>
<TTL>PT3600S</TTL>
<Key>
<Flags>257</Flags>
<Algorithm>8</Algorithm>
<Locator>b9b1b3c9f51242b3f4f23d713c65adbb</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>8</Algorithm>
<Locator>d1f3f642a33a028426d7d1e391e5e03c</Locator>
<ZSK />
<Publish />
</Key>
</Keys>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>unixtime</Serial>
</SOA>
</Zone>
</SignerConfiguration>
Regards,
Volker
More information about the Opendnssec-user
mailing list