[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)

Volker Janzen voja at voja.de
Sat Dec 14 16:19:20 UTC 2013


Hi Matthijs,

> If you have a Refresh period of 3 days, a Resign period of 12 hours,
> and a Signature Validity of 14 days, then you should let nagios check
> that a signature does not expire within 10.5 days (14 - 3 - 0.5).

what I did today was setting Refresh to P13D. As far as I understand
the docs this should resign all records that's signatures will expire in
less than 13 days. With a validity of 14 days, it should refresh the
signatures every day. I issued "ods-ksmutil update kasp", OpenDNSSEC did
a resign and minutes later Nagios stopped complaining. I'll wait and
check the logs and signatures in a few days to see what's happening.


Regards
   Volker




More information about the Opendnssec-user mailing list