[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)
Volker Janzen
voja at voja.de
Thu Dec 12 08:53:41 UTC 2013
Hi Matthijs,
> If you set <Resign> to 12 days, the signer will sign the zone every
> 12 days. That is not what you want I guess.
correct. I want it to happen more often.
> If you have a Refresh period of 3 days, a Resign period of 12 hours,
> and a Signature Validity of 14 days, then you should let nagios check
> that a signature does not expire within 10.5 days (14 - 3 - 0.5).
My default policy contains since your email yesterday:
<Signatures>
<Resign>PT2H</Resign>
<Refresh>P3D</Refresh>
<Validity>
<Default>P14D</Default>
<Denial>P14D</Denial>
</Validity>
<Jitter>PT12H</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
The Nagios plugin is complaining again, as of the zone is still not
getting fresh signatures:
dnssec_monitor.rb -z dnssec.cc --kskwarn 10 -n a.dnssecns.de
6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
6 : (a.dnssecns.de): Adding zsk : 64429
6 : (a.dnssecns.de): Adding ksk : 53095
6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
4 : (a.dnssecns.de): KSK(key_tag 53095): RRSIG for dnssec.cc,DNSKEY
will expire in 9.68614583333333 days (kskwarn is 10.0)
6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
6 : (a.dnssecns.de): dnssec.cc, NS verified OK
6 : (a.dnssecns.de): Checking non-existing domain for
dklfjhwiouy4r9cefuyenwfuyenw.dnssec.cc, NS
6 : Finished checking on a.dnssecns.de(a.dnssecns.de)
The signing is still sheduled, but this is what I see every time, that
the zone is signed in the next hour, but it's not, signatures are still
going to expire.
ods-signer queue
It is now Thu Dec 12 09:51:25 2013
I have 1 tasks scheduled.
On Thu Dec 12 09:57:20 2013 I will [sign] zone dnssec.cc
Volker
More information about the Opendnssec-user
mailing list