[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)
matthijs at nlnetlabs.nl
Wed Dec 11 10:54:28 UTC 2013
On 10-12-13 13:10, Volker Janzen wrote:
> Hi Matthijs,
>> Because a pictures says more than a thousand words, I would like to
>> point to:
>> Thus nagios should complain when the signature expires in less than 3
>> days. Actually: less than 3 days minus the resign period so 3 days minus
>> 2 hours.
> I think I understand my problem now. In my own words: all signatures
> are set to have a validity of 14 days - the period I want to check in
> Nagios. This does not work, because only signatures are re-generated,
> that are going to expire in the resign period. If I set the resign to
> e.g. 12 days, the signer will resign the whole zone every two days. This
> will consume more CPU and scale bad with many zones.
If you set <Resign> to 12 days, the signer will sign the zone every 12
days. That is not what you want I guess.
> If I just have a few zones, I can set signature validity to 14, Resign
> to 10. This will cause all 4 days a resign. Signature expire should not
> fall below 10 days with this (minus 3 hours). Correct? So e.g. nine days
> would be safe to check in Nagios.
You haven't talked about Refresh yet. At least the Refresh period should
be higher than the Resign period. I think a Resign period of 4 days is
quite high. I would make it a couple of hours.
The Refresh period allows you to regenerate signatures a time before it
will expire. This is usually set to a value that it takes to resolve
issues with the signer system, plus the weekend. So the Refresh period
is usually a few days.
If you have a Refresh period of 3 days, a Resign period of 12 hours, and
a Signature Validity of 14 days, then you should let nagios check that a
signature does not expire within 10.5 days (14 - 3 - 0.5).
More information about the Opendnssec-user