[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)
Matthijs Mekking
matthijs at nlnetlabs.nl
Tue Dec 10 11:16:59 UTC 2013
On 12/10/2013 11:55 AM, Volker Janzen wrote:
> Hi Matthijs,
>
>> - Increase the verbosity of the signer (ods-signer verbosity 5) and see
>> if there is something in the logs then
>
> okay, tried to add this to the init script.
>
>> - Get the queue: ods-signer queue
>
> Still this output:
>
> root at a:~# ods-signer queue
> It is now Tue Dec 10 11:52:48 2013
>
> I have 1 tasks scheduled.
> On Tue Dec 10 12:29:35 2013 I will [sign] zone dnssec.cc
>
>> - Check the nagios configuration and see if it matches the kasp.xml
>> validity and refresh values.
>
> <Refresh>P3D</Refresh>
> <Validity>
> <Default>P14D</Default>
> <Denial>P14D</Denial>
> </Validity>
>
> I assume after three days something should happen. And I assume if
> something expires in less than 12 days, the Validity should have catched
> something and resign?
Because a pictures says more than a thousand words, I would like to
point to:
https://wiki.opendnssec.org/display/DOCS/kasp.xml
Thus nagios should complain when the signature expires in less than 3
days. Actually: less than 3 days minus the resign period so 3 days minus
2 hours.
Best regards,
Matthijs
>
>
> Volker
>
More information about the Opendnssec-user
mailing list