[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)
matthijs at nlnetlabs.nl
Tue Dec 17 08:04:35 UTC 2013
On 12/12/2013 09:53 AM, Volker Janzen wrote:
> Hi Matthijs,
>> If you set <Resign> to 12 days, the signer will sign the zone every
>> 12 days. That is not what you want I guess.
> correct. I want it to happen more often.
>> If you have a Refresh period of 3 days, a Resign period of 12 hours,
>> and a Signature Validity of 14 days, then you should let nagios check
>> that a signature does not expire within 10.5 days (14 - 3 - 0.5).
I must have been tired. Above is wrong. I meant to say that a signature
must be refreshed after 10.5 days. And I made a calculation error: it
should be 11.5 days (14 - (3-0.5)). A signature with these values should
not expire within 2.5 (3-0.5) days.
I am sorry for the confusion.
> My default policy contains since your email yesterday:
If you want signatures to be refreshed 10 days before it expires, your
policy should say:
This will make signatures be refreshed (14 - (11-0.2)) after about 3 days.
> The Nagios plugin is complaining again, as of the zone is still not
> getting fresh signatures:
> dnssec_monitor.rb -z dnssec.cc --kskwarn 10 -n a.dnssecns.de
> 6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
> 6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
> 6 : (a.dnssecns.de): Adding zsk : 64429
> 6 : (a.dnssecns.de): Adding ksk : 53095
> 6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
> 4 : (a.dnssecns.de): KSK(key_tag 53095): RRSIG for dnssec.cc,DNSKEY
> will expire in 9.68614583333333 days (kskwarn is 10.0)
> 6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
> 6 : (a.dnssecns.de): dnssec.cc, NS verified OK
> 6 : (a.dnssecns.de): Checking non-existing domain for
> dklfjhwiouy4r9cefuyenwfuyenw.dnssec.cc, NS
> 6 : Finished checking on a.dnssecns.de(a.dnssecns.de)
> The signing is still sheduled, but this is what I see every time, that
> the zone is signed in the next hour, but it's not, signatures are still
> going to expire.
> ods-signer queue
> It is now Thu Dec 12 09:51:25 2013
> I have 1 tasks scheduled.
> On Thu Dec 12 09:57:20 2013 I will [sign] zone dnssec.cc
More information about the Opendnssec-user