[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)

Volker Janzen voja at voja.de
Thu Dec 12 09:06:56 UTC 2013


Hi Matthijs,

this is from my current syslog:

Dec 12 09:57:20 a ods-signerd: [worker[4]] report for duty
Dec 12 09:57:20 a ods-signerd: [scheduler] pop task for zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [scheduler] unschedule task [sign] for
zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [worker[4]] start working on zone
dnssec.cc
Dec 12 09:57:20 a ods-signerd: [worker[4]] perform task [sign] for zone
dnssec.cc at 1386838640
Dec 12 09:57:20 a ods-signerd: [worker[4]] sign zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [namedb] zone dnssec.cc update serial:
format=unixtime in=102 internal=1386680240 out=1386680240 now=1386838640
Dec 12 09:57:20 a ods-signerd: [namedb] zone dnssec.cc update serial:
1386680240 + 158400 = 1386838640
Dec 12 09:57:20 a ods-signerd: [zone] zone dnssec.cc set soa serial to
1386838640
Dec 12 09:57:20 a ods-signerd: [hsm] libhsm connection ok
Dec 12 09:57:20 a ods-signerd: [worker[1]] report for duty
Dec 12 09:57:20 a ods-signerd: [worker[1]] nothing to do
Dec 12 09:57:20 a ods-signerd: [worker[2]] report for duty
Dec 12 09:57:20 a ods-signerd: [worker[2]] nothing to do
Dec 12 09:57:20 a ods-signerd: [worker[3]] report for duty
Dec 12 09:57:20 a ods-signerd: [worker[3]] nothing to do
Dec 12 09:57:20 a ods-signerd: [worker[4]] wake up
Dec 12 09:57:20 a ods-signerd: [worker[4]] somebody poked me, check
completed jobs 23 appointed, 23 completed, 0 failed
Dec 12 09:57:20 a ods-signerd: [worker[4]] sign zone dnssec.cc ok: 23
of 23 RRsets succeeded
Dec 12 09:57:20 a ods-signerd: [worker[4]] write zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [tools] skip write zone dnssec.cc serial
1386838640 (zone not changed)
Dec 12 09:57:20 a ods-signerd: [worker[4]] next task [sign] for zone
dnssec.cc
Dec 12 09:57:20 a ods-signerd: [worker[4]] finished working on zone
dnssec.cc
Dec 12 09:57:20 a ods-signerd: [scheduler] schedule task [sign] for
zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [task] On Thu Dec 12 11:57:20 2013 I
will [sign] zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [worker[4]] report for duty
Dec 12 09:57:20 a ods-signerd: [worker[4]] nothing to do


According to the log "zone not changed" there was indeed no change /
refresh of the zonefile:
ls -ld /var/lib/opendnssec/signed/dnssec.cc
-rw-r--r-- 1 opendnssec opendnssec 9288 Dec 10 13:57
/var/lib/opendnssec/signed/dnssec.cc

Now checking if nagios is correct with it's complaint:

dig DNSKEY dnssec.cc @localhost +dnssec

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> DNSKEY dnssec.cc @localhost
+dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12811
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.cc.                     IN      DNSKEY

;; ANSWER SECTION:
dnssec.cc.              3600    IN      DNSKEY  256 3 8
AwEAAZEGNVbFYT/YJMQrbS79+nmV/n2ow6/GRYLEEXzqZXWSUpt0oSWI
SHjcqfMBdfQNGMtXdmdFFN2aemybPsp17jnNaYILbHEh7vnL4PKRya/H
rPA2YVDDDhTxDpTFdE/xMLStFhYwx3Zrwv13XjrlO4LsrE9FRnyYGd5W Srb9v9cd
dnssec.cc.              3600    IN      DNSKEY  257 3 8
AwEAAdSkw0YfJFiaeDBb0jERfeVCbr5eTPoKLJRgd8BJ1H3FCGiGyyRr
wGg/muiMDUEOIy1Y7AseYCmDmD720sesBqwZr4+jCKlmwGD4S2g8dO5M
NZCXJZJqDzHJrHNvwj64vUXTl+lGDw4Vbwkn1+J5ffKeD4dY2Y4kJ5fA
mWdNnxwd6cotxDmhU7bElhWZ9FRdLfKfvhKdd7BFCzAEl5Ztz2N1zQXL
pwE55xEPoFut/awC6R/lVhtvuOWdOzrabccJ0w4ydrHBXCBJgGCVRS47
pprQ2w8bRt7HLax/qvqUUb2qTBDEEJGSwWt64t5f6Ae0HwMOzxse9HRi d2Y+4VPGRq0=
dnssec.cc.              3600    IN      RRSIG   DNSKEY 8 2 3600
20131222011745 20131208081209 53095 dnssec.cc.
QR0qJYjQU2mjDsg7KQMHPhesPiHlrkzMwZMQYpD+OwJ+PIDKkaCH9a/h
uVx5trmTTmbmW8Q6sLWt/EInVrqN10qAo9ZC8VK940Dw6AtEAz86WvcI
SxjnuajlNLUSg84XsAbadBAMGmyqD0QuxiyaZXaunPBSCiyA0xzwqW5f
4gQcmgUVc6b1lENIWrX7pqsR02SgRb1sLD0y3OLtsmsEAJfyhk5vXr5j
TVw3yTLGDPLs6MdLgdqAiD8+BreTdvHjoay2v4jBVqkwfAv4q1iyn8iK
4dYyZeBs9fBgULfF/xpHPViE7+zqjDhnIILZtxONuwP5lWnAC79SYh36 qqtl2A==

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 12 10:01:11 2013
;; MSG SIZE  rcvd: 759

RRSIG expire is 20131222011745 -> that's indeed less than 10 days away.
And as far as I understood the configuration, the signature should have
been refreshed in the meantime. And that is what I want, that the
signatures are refreshed more often.


Volker




More information about the Opendnssec-user mailing list