[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)

Volker Janzen voja at voja.de
Thu Dec 12 08:53:41 UTC 2013

Hi Matthijs,

> If you set <Resign> to 12 days, the signer will sign the zone every
> 12 days. That is not what you want I guess.

correct. I want it to happen more often.

> If you have a Refresh period of 3 days, a Resign period of 12 hours,
> and a Signature Validity of 14 days, then you should let nagios check
> that a signature does not expire within 10.5 days (14 - 3 - 0.5).

My default policy contains since your email yesterday:


The Nagios plugin is complaining again, as of the zone is still not
getting fresh signatures:

dnssec_monitor.rb -z dnssec.cc --kskwarn 10 -n a.dnssecns.de
6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
6 : (a.dnssecns.de): Adding zsk : 64429
6 : (a.dnssecns.de): Adding ksk : 53095
6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
4 : (a.dnssecns.de): KSK(key_tag 53095): RRSIG for dnssec.cc,DNSKEY
will expire in 9.68614583333333 days (kskwarn is 10.0)
6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
6 : (a.dnssecns.de): dnssec.cc, NS verified OK
6 : (a.dnssecns.de): Checking non-existing domain for
dklfjhwiouy4r9cefuyenwfuyenw.dnssec.cc, NS
6 : Finished checking on a.dnssecns.de(a.dnssecns.de)

The signing is still sheduled, but this is what I see every time, that
the zone is signed in the next hour, but it's not, signatures are still
going to expire.

ods-signer queue
It is now Thu Dec 12 09:51:25 2013

I have 1 tasks scheduled.
On Thu Dec 12 09:57:20 2013 I will [sign] zone dnssec.cc


More information about the Opendnssec-user mailing list