[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)

Volker Janzen voja at voja.de
Tue Dec 10 12:10:44 UTC 2013


Hi Matthijs,

> Because a pictures says more than a thousand words, I would like to
> point to:
> 
> 	https://wiki.opendnssec.org/display/DOCS/kasp.xml
> 
> Thus nagios should complain when the signature expires in less than 3
> days. Actually: less than 3 days minus the resign period so 3 days minus
> 2 hours.

I think I understand my problem now. In my own words: all signatures
are set to have a validity of 14 days - the period I want to check in
Nagios. This does not work, because only signatures are re-generated,
that are going to expire in the resign period. If I set the resign to
e.g. 12 days, the signer will resign the whole zone every two days. This
will consume more CPU and scale bad with many zones.

If I just have a few zones, I can set signature validity to 14, Resign
to 10. This will cause all 4 days a resign. Signature expire should not
fall below 10 days with this (minus 3 hours). Correct? So e.g. nine days
would be safe to check in Nagios.


Volker




More information about the Opendnssec-user mailing list