[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Dec 11 10:54:28 UTC 2013

Hi Volker,

On 10-12-13 13:10, Volker Janzen wrote:
> Hi Matthijs,
>> Because a pictures says more than a thousand words, I would like to
>> point to:
>> 	https://wiki.opendnssec.org/display/DOCS/kasp.xml
>> Thus nagios should complain when the signature expires in less than 3
>> days. Actually: less than 3 days minus the resign period so 3 days minus
>> 2 hours.
> I think I understand my problem now. In my own words: all signatures
> are set to have a validity of 14 days - the period I want to check in
> Nagios. This does not work, because only signatures are re-generated,
> that are going to expire in the resign period. If I set the resign to
> e.g. 12 days, the signer will resign the whole zone every two days. This
> will consume more CPU and scale bad with many zones.

If you set <Resign> to 12 days, the signer will sign the zone every 12 
days. That is not what you want I guess.

> If I just have a few zones, I can set signature validity to 14, Resign
> to 10. This will cause all 4 days a resign. Signature expire should not
> fall below 10 days with this (minus 3 hours). Correct? So e.g. nine days
> would be safe to check in Nagios.

You haven't talked about Refresh yet. At least the Refresh period should 
be higher than the Resign period. I think a Resign period of 4 days is 
quite high. I would make it a couple of hours.

The Refresh period allows you to regenerate signatures a time before it 
will expire. This is usually set to a value that it takes to resolve 
issues with the signer system, plus the weekend. So the Refresh period 
is usually a few days.

If you have a Refresh period of 3 days, a Resign period of 12 hours, and 
a Signature Validity of 14 days, then you should let nagios check that a 
signature does not expire within 10.5 days (14 - 3 - 0.5).

Best regards,

> Volker

More information about the Opendnssec-user mailing list