[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)
voja at voja.de
Thu Dec 12 08:53:41 UTC 2013
> If you set <Resign> to 12 days, the signer will sign the zone every
> 12 days. That is not what you want I guess.
correct. I want it to happen more often.
> If you have a Refresh period of 3 days, a Resign period of 12 hours,
> and a Signature Validity of 14 days, then you should let nagios check
> that a signature does not expire within 10.5 days (14 - 3 - 0.5).
My default policy contains since your email yesterday:
The Nagios plugin is complaining again, as of the zone is still not
getting fresh signatures:
dnssec_monitor.rb -z dnssec.cc --kskwarn 10 -n a.dnssecns.de
6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
6 : (a.dnssecns.de): Adding zsk : 64429
6 : (a.dnssecns.de): Adding ksk : 53095
6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
4 : (a.dnssecns.de): KSK(key_tag 53095): RRSIG for dnssec.cc,DNSKEY
will expire in 9.68614583333333 days (kskwarn is 10.0)
6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
6 : (a.dnssecns.de): dnssec.cc, NS verified OK
6 : (a.dnssecns.de): Checking non-existing domain for
6 : Finished checking on a.dnssecns.de(a.dnssecns.de)
The signing is still sheduled, but this is what I see every time, that
the zone is signed in the next hour, but it's not, signatures are still
going to expire.
It is now Thu Dec 12 09:51:25 2013
I have 1 tasks scheduled.
On Thu Dec 12 09:57:20 2013 I will [sign] zone dnssec.cc
More information about the Opendnssec-user